Identity binding (previously called trust domain) - workload identity federation

[shashankbarsin]

Identity binding feature allows users to map an Entra user-assigned managed identity to any number of cluster or subject (namespace, service account) combinations to address the current 20 FIC limitation per identity. For each binding, user provides the cluster ARM Id to specify which managed identities are usable via workload identity on any cluster. Post that, they’d then create a ClusterRole and ClusterRoleBinding within the cluster specifying the service accounts that are allowed to use the managed identity.

Tentative UX:

1. Cluster operator creates identity binding resource

az aks identity-binding create \ 
  --name <binding-name> \  
  --resource-group <group-name> \  
  --managed-identity-resource-id <identity-resource-id> \ 
  --cluster-name <cluster name>

This step sets up an issuer per each identity binding and the output of the above step surfaces the identity-binding-issuer needed for step 3. AKS maintains a unique identity binding issuer per each managed identity. So even if identity binding is created for same managed identity mapped to a different cluster, the same identity binding issuer is used for the same allowing for the same issuer value under FIC (from step 3) to be used across multiple clusters

2. User creates a cluster role and role binding identifying the namespace and service account that can use the managed identity

apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
  name: allow-clientid-1 
rules: 
- verbs: ["use-managed-identity"] 
  apiGroups: ["cid.wi.aks.azure.com"] 
  resources: ["<client-id-1>"] 
--- 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
  name: allow-clientid-1-binding 
roleRef: 
  apiGroup: rbac.authorization.k8s.io 
  kind: ClusterRole 
  name: allow-clientid-1 
subjects: 
- kind: ServiceAccount 
  name: mysa 
  namespace: ns 

3. User creates FIC mapping the managed identity and identity binding.

az identity federated-credential create \ 
    --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \ 
    --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \ 
    --resource-group "${RESOURCE_GROUP}" \ 
    --issuer "<identity_binding_issuer>" \ 
    --subject "<ARM-ID-managed-identity>"\ 
    --audience api://AzureADTokenExchange 

Tentative ETA for preview June 2025

[colincmac]

@shashankbarsin Will this resolve these issues?
#3982
#2861

[OmnipotentOwl]

For the ETA for a preview which type of preview is that expected to be?

[shashankbarsin]

@colincmac - It'll address #3982. #2861 will be addressed by structured authentication integration, that's currently being planned and will share an update on that soon too..

@OmnipotentOwl - Most likely a private preview to begin with. Closer to release, we will share a form where you can share your subscriptionId and we will enable the feature flag.

[Richard87]

All the Subjects in a trust domain will have the same prefix, will it also share the Issuer?

[shashankbarsin]

reopening this issue as it was wrongly closed as stale by the bot. this feature is still on the roadmap and still on track for a preview in CY2025H1.