brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f6c023b3fb063161fcf636cddfdd482219cb7fcf
oam/knowledge base/azure/kubelogin.md

2.6 KiB
Raw Blame History

Azure Kubelogin

Client-go credential (exec) plugin for kubectl 1.11+ implementing Azure authentication.

Table of contents

  1. TL;DR
  2. Further readings

TL;DR

# Installation.
brew install 'Azure/kubelogin/kubelogin'


# Leverage the already logged-in context used by Azure CLI.
# The token will be issued in the same Azure AD tenant as in `az login` and be
# managed by the Azure CLI.
kubelogin convert-kubeconfig -l 'azurecli'


# Use service principals to login.
# The token will **not** be cached on the filesystem.
# Only works with managed AAD.
# The service principal can be member of up to 200 AAD groups.

# Provide password-based credentials via command flags.
kubelogin convert-kubeconfig -l 'spn' \
  --client-id 'spn_client_id' --client-secret 'spn_client_secret'

# Provide password-based credentials via environment variables.
kubelogin convert-kubeconfig -l 'spn' && export \
  AAD_SERVICE_PRINCIPAL_CLIENT_ID='spn_client_id' \
  AAD_SERVICE_PRINCIPAL_CLIENT_SECRET='spn secret'
kubelogin convert-kubeconfig -l 'spn' && export \
  AZURE_CLIENT_ID='spn_client_id' AZURE_CLIENT_SECRET='spn secret'

# Provide pfx client certificate-based credentials via environment variables.
kubelogin convert-kubeconfig -l 'spn' && export \
  AAD_SERVICE_PRINCIPAL_CLIENT_ID='spn_client_id' \
  AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE='path/to/cert.pfx' \
  AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE_PASSWORD='pfx_password'
kubelogin convert-kubeconfig -l 'spn' && export \
  AZURE_CLIENT_ID='spn_client_id' \
  AZURE_CLIENT_CERTIFICATE_PATH='path/to/cert.pfx' \
  AZURE_CLIENT_CERTIFICATE_PASSWORD='pfx_password'


# Use managed identities to login.
# The token will **not** be cached on the filesystem.
kubelogin convert-kubeconfig -l 'msi'
kubelogin convert-kubeconfig -l 'msi' --client-id 'msi_client_id'


# Use workload identities to login.
# The token will **not** be cached on the filesystem.
export \
  AZURE_CLIENT_ID='applicationId_federated_with_workload_identity' \
  AZURE_TENANT_ID='tenantId' \
  AZURE_FEDERATED_TOKEN_FILE='file_containing_the_signed_assertion_of_workload_identity' \
  AZURE_AUTHORITY_HOST='base_url_of_an_azure_active_directory_authority' \
&& kubelogin convert-kubeconfig -l 'workloadidentity'


# Remove cached tokens.
kubelogin remove-tokens

Further readings