Skip to content

Identity and Secrets

Use Azure-native identity wherever possible so workloads authenticate without long-lived secrets. AKS security maturity improves dramatically when you separate cluster access, node identity, and workload identity.

Main Content

flowchart TD
    A[Human Access] --> B[Microsoft Entra ID]
    C[Cluster] --> D[Managed Identity]
    E[Workload Pod] --> F[Workload Identity]
    F --> G[Azure Key Vault]
    D --> H[Azure Resources]

Identity layers

  • Cluster access: Microsoft Entra ID-backed authentication and Kubernetes RBAC.
  • Cluster identity: managed identity used by AKS to manage Azure resources.
  • Workload identity: pod-to-Azure-resource authentication without storing secrets in Kubernetes.

Secret handling guidance

  • Prefer workload identity plus Key Vault over static Kubernetes Secrets when possible.
  • Use the Secrets Store CSI Driver for mounted secret material that must appear as files.
  • Keep Kubernetes Secrets only for data that must stay Kubernetes-native and protect them with RBAC and etcd encryption controls.

Example commands

az aks update --resource-group $RG --name $CLUSTER_NAME --enable-oidc-issuer --enable-workload-identity
az aks get-credentials --resource-group $RG --name $CLUSTER_NAME --overwrite-existing
kubectl get serviceaccount -A
kubectl get secret -A

See Also

Sources