Post

AKS Trusted Access Overview And Setup

Learn how to set up Trusted Access on Azure to securely manage permissions and streamline identity access across cloud resources.

Posted
By Eddie E.
4 min read

Many Azure cloud services that integrate with Azure Kubernetes Service require access to the Kubernetes API server. Instead of granting admin privileges to those services or relying on identities that have EntraID permissions, the trusted access feature can use a system-assigned managed identity to perform authentication with the managed services and applications that we want to use with the AKS cluster.

Trusted Access gives solutions to the following cases:

  • When an authorized IP range cluster is set (which means that Azure services can’t access Kubernetes API without a private endpoint access)
  • In case of private cluster setup
  • When we want to follow the best practices for least privilege access
  • Entra clusters - Clusters with local accounts turned off

A mechanism that grants specific permission to system-assigned identities is called a Trusted Access role binding. Role binding allows identities to access AKS resources by linking them to Azure roles within the cluster.

Let’s perform an audit (using Azure CLI) of trusted access to check if there are any roles.

  1. Get account list and filter subscriptions IDs 
    1

    az account list --query '[*].id'

    This command should return the subcription IDs

    1
2
3
4

    [
 "ahjftros-38293-sjcd-3233-kklidhvbnndyrt",
 "ssdftttw-8643-sjcd-3441-kklidhvbnndyrt"
]
  2. Set subscription that we want to examine 
    1

    az account set --subscription ssdftttw-8643-sjcd-3441-kklidhvbnndyrt
  3. Get cluster name and associated resource group for each AKS cluster in the selected subscription 
    1

    az aks list --output table --query '[*].{name:name, resourceGroup:resourceGroup}'

    The command should return AKS cluster names

    1
2
3
4

    Name                        ResourceGroup
-----------------------     ------------------------
aks-test-cluster            aks-test-rg-northeurope
................            ........................
  4. Get role binding list 
    1
2
3

    az aks trustedaccess rolebinding list 
 --cluster-name aks-test-cluster
 --resource-group aks-test-rg-northeurope

    The command should return the list of Trusted Access role bindings configured for the cluster. If an empty array is returned ([]), it means that there are no Trusted Access role bindings configured for the cluster.

Enabling and configuring the Trusted Access feature for AKS

To implement Trusted Access, AKS clusters must use system-assigned managed identities.

  1. Get account list and filter subscriptions IDs 
    1

    az account list --query '[*].id'

    This command should return the subcription IDs

    1
2
3
4

    [
 "ahjftros-38293-sjcd-3233-kklidhvbnndyrt",
 "ssdftttw-8643-sjcd-3441-kklidhvbnndyrt"
]
  2. Set subscription 
    1

    az account set --subscription ssdftttw-8643-sjcd-3441-kklidhvbnndyrt
  3. Get trusted access role list to identify the correct roles to be configured 
    1

    az aks trustedaccess role list --location northeurope

    The command should return the list of supported roles by Trusted Access (below are displayed few roles only as an example).

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

    [
 {
     "name": "mlworkload",
     "rules": [
         {
             "apiGroups": [
             ""
             ],
             "nonResourceUrLs": null,
             "resourceNames": null,
             "resources": [
                 "services",
                 "services/proxy"
             ],
             "verbs": [
                 "create",
                 "get",
                 "list",
                 "patch",
                 "update",
                 "delete"
             ]
         }
     ],
     "sourceResourceType": "Microsoft.MachineLearningServices/workspaces"
 },
 {
     "name": "backup-operator",
     "rules": [
         {
             "apiGroups": [
                 "clusterbackup.dataprotection.microsoft.com"
             ],
             "nonResourceUrLs": null,
             "resourceNames": null,
             "resources": [
                 "backups",
                 "validateforbackups",
                 "restores",
                 "validateforrestores",
                 "deletebackups"
             ],
             "verbs": [
                 "get",
                 "list",
                 "watch",
                 "create",
                 "update",
                 "patch",
                 "delete"
             ]
         },
         {
             "apiGroups": [
                 ""
             ],
             "nonResourceUrLs": null,
             "resourceNames": null,
             "resources": [
                 "configmaps"
             ],
             "verbs": [
                 "create",
                 "get",
                 "list",
                 "patch",
                 "update",
                 "delete"
             ]
         }
     ],
 }
]
  4. Create role binding The role that we select depends on the Azure services that we want to access AKS cluster. Once the role is identified, we can create a Trusted Access role binding for AKS cluster. 
    1
2
3
4
5
6

    az aks trustedaccess rolebinding create 
 --cluster-name
 --name
 --resource-group
 --roles
 --source-resource-id

    Example

    1
2
3
4
5
6

    az aks trustedaccess rolebinding create 
 --aks-test-cluster
 --test-role-binding
 --aks-test-rg-northeurope
 --Microsoft.MachineLearningServices/workspaces/mlworkload
 --/subscriptions/0000/resourceGroups/myResourceGroup/providers/Microsoft.Demo/samples

    Few Azure CLI commands that might be usefull while working with Trusted Access feature:

  • List all the trusted role bindings 
    1
2
3

    az aks trustedaccess rolebinding list 
  --cluster-name
  --resource-group
  • Get role binding by binding name 
    1
2
3
4

    az aks trustedaccess rolebinding show 
  --cluster-name
  --name
  --resource-group
  • Delete a trusted access role by name 
    1
2
3
4
5

    az aks trustedaccess rolebinding delete 
  --cluster-name
  --name
  --resource-group
  [--yes] # optional
  • Update trusted access role by name 
    1
2
3
4
5

    az aks trustedaccess rolebinding update 
  --cluster-name
  --name
  --resource-group
  --roles
Cloud Platforms, Azure
azure kubernetes security
This post is licensed under CC BY 4.0 by the author.