[Secure Deployment to Azure AKS Using Managed Identity]

Overview

Copy link

This guide explains how to set up GitHub Actions for deployment to Azure Kubernetes Service (AKS) using Managed Identity and Federated Credentials, which eliminates the need for storing long-lived secrets. This approach enhances security by leveraging short-lived tokens instead of storing credentials in GitHub Secrets.

In some environments, access to Azure AD (Entra ID) may not be available, as was the case in our project. However, it is still possible to configure secure authentication using Managed Identity and Federated Credentials without requiring direct Entra ID access.

Steps

Copy link

1. Create a user-assigned managed identity

Copy link

1. Go to Azure Portal → Managed Identities.
2. Create a new User-Assigned Managed Identity.
3. Assign the necessary Azure RBAC roles (e.g., Azure Kubernetes Service RBAC Writer, Azure Kubernetes Service Writer, or AKS Cluster Admin if broader access is required).

2. Configure federated credentials for GitHub actions

Copy link

1. Open the Managed Identity in Azure.
2. Navigate to Federated credentials and click Add credential.
3. Select GitHub Actions as the scenario.
4. Configure the credential with:
   a. Repository: org/repository-name
   b. Branch: main (or any relevant branch)
   c. Subject identifier format: repo:<ORG>/<REPO>:ref:refs/heads/<BRANCH>
5. Save the configuration.

3. Update GitHub Actions Workflow

Copy link

Modify the GitHub Actions workflow (.github/workflows/deploy.yaml) to authenticate through Managed Identity:

name: Deploy to AKS

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      
      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZ_CLIENT_ID }}
          tenant-id: ${{ secrets.AZ_TENANT_ID }}
          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      
      - name: Set AKS context
        uses: azure/aks-set-context@v4
        with:
          resource-group: ${{ secrets.AZ_RESOURCE_GROUP }}
          cluster-name: ${{ secrets.AZ_CLUSTER_NAME }}

4. Add secrets to GitHub

Copy link

• Configuring secrets: In the repository, go to Settings → Secrets and variables → Actions and add:
  AZ_CLIENT_ID (from Managed Identity)
  AZ_TENANT_ID
AZ_SUBSCRIPTION_ID
AZ_RESOURCE_GROUP
AZ_CLUSTER_NAME

Conclusion

Copy link

Adopting Managed Identity with Federated Credentials for your GitHub Actions pipeline enables secure, seamless deployments to Azure AKS, eliminating the need for long-lived secrets and significantly reducing your security risks. This modern approach not only streamlines your CI/CD process but also ensures your infrastructure remains robust and compliant.

💡 If you're ready to take your cloud infrastructure to the next level—optimizing for security, efficiency, and scalability—consider partnering with experts who specialize in these solutions. Explore Mad Devs' cloud infrastructure optimization services to discover how you can maximize performance, reduce costs, and future-proof your operations with tailored strategies and hands-on support from certified professionals. Let's build a more secure and efficient cloud environment together.