Azure · bcho · Nov 7, 2025 · Nov 7, 2025 · Nov 10, 2025 · Dec 3, 2025
@@ -0,0 +1,80 @@
+# Identity Binding Example
+
+This example demonstrates how to use the Identity Binding feature in an AKS cluster.
+
+## Prerequisites
+
+- Please ensure you have the latest preview version of Azure CLI installed. You can follow the instructions [here](https://learn.microsoft.com/cli/azure/aks/extension?view=azure-cli-latest).
+- Ensure your subscription has the `Microsoft.ContainerService/IdentityBinding` feature flag enabled.
+- Ensure your cluster is enabled with [AKS Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster) feature.
+
+
+> [!NOTE]
+> Identity Binding requires preview version of AKS workload identity webhook. Please confirm the following output from the command:
+>
+> ```bash
+> kubectl -n kube-system get pods -l azure-workload-identity.io/system=true -o yaml | grep v1.6.0
+> image: mcr.microsoft.com/oss/v2/azure/workload-identity/webhook:v1.6.0-alpha.1
+> ```
+>
+> Seeing `v1.6.0-alpha.1` in the image tag confirms that the preview version of webhook is installed.
+
+## Steps
+
+The following steps assume you have already created an AKS cluster `<cluster-name>` and managed identity `<mi-name>` under resource group `<rg-name>` and subscription `<subscription-id>`.
+
+We will reference the client id of the managed identity with `<mi-client-id>` in the following steps.
+
+### 1. Create identity binding resource
+
+
+```bash
+az aks identity-binding create \
+    --resource-group <rg-name> \
+    --cluster-name <cluster-name> \
+    --name my-first-ib \
+    --managed-identity-resource-id /subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>
+```
+
+> [!NOTE]
+> Successful creation of identity binding resource will result in a federated managed identity credential being created in the managed identity with name `aks-identity-binding`. This federated managed identity credential is required by identity binding feature to work.
+
+### 2. Configure in-cluster access via ClusterRole and ClusterRoleBinding
+
+The identity binding feature uses Kubernetes RBAC to control which pods can access which managed identities via a cluster role with the verb `use-managed-identity`. In this step, we will create a cluster role and cluster role binding to grant the `default` service account in the `default` namespace permission to access the managed identity created in the previous step.
+
+Before deploying the `cluster-role-and-cluster-role-binding.yaml`, please make sure to replace the `<mi-client-id>` placeholder in the file with the actual client ID of the managed identity.
+
+```bash
+kubectl apply -f cluster-role-and-cluster-role-binding.yaml
+clusterrole.rbac.authorization.k8s.io/my-first-ib-cr created
+clusterrolebinding.rbac.authorization.k8s.io/my-first-ib-crb created
+```
+
+### 3. Deploy sample application Pod
+
+Following the same step from the [Azure workload identity documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#grant-permissions-to-access-azure-key-vault), we will deploy a sample pod that uses the managed identity to access a secret from an Azure Key Vault.
+Please make sure to replace the `<your-keyvault-name>` and `REPLACE_WITH_SECRET_NAME` placeholders in the `pod.yaml` file with your actual Key Vault name and secret name.
+
+```bash
+kubectl apply -f pod.yaml
+pod/my-first-ib-pod created
+```
+
+> [!NOTE]
+> Compared with the original workload identity example, the following highlights the differences when using the identity binding feature:
+> ```diff
+> kind: Pod
+> metadata:
+>   labels:
+>     azure.workload.identity/use: "true"
+> + annotations:
+> +   azure.workload.identity/use-identity-binding: "true"
+> ```
+
+### 4. Verify the sample application Pod
+
+```bash
+kubectl logs my-first-ib-pod
+I1107 20:03:42.865180       1 main.go:77] "successfully got secret" secret="Hello!"
+```
@@ -0,0 +1,22 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: my-first-ib-cr
+rules:
+  - verbs: ["use-managed-identity"]
+    apiGroups: ["cid.wi.aks.azure.com"]
+    resources: ["<mi-client-id>"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-first-ib-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: my-first-ib-cr
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-first-ib-pod
+  namespace: default
+  labels:
+    azure.workload.identity/use: "true"
+  annotations:
+    azure.workload.identity/use-identity-binding: "true"
+spec:
+  serviceAccount: default
+  containers:
+    - name: azure-sdk
+      # source code: https://github.com/Azure/azure-workload-identity/blob/feature/custom-token-endpoint/examples/identitybinding-msal-go/main.go
+      image: ghcr.io/bahe-msft/azure-workload-identity/identitybinding-msal-go@sha256:d8a262e2aed015790335650f1d1221cbf9270ee209993337e4c6055b39dd00ae
+      env:
+        - name: KEYVAULT_URL
+          # Replace YOUR_KEYVAULT_NAME with your actual Azure Key Vault name
+          value: https://YOUR_KEYVAULT_NAME.vault.azure.net/
+        - name: SECRET_NAME
+          # Replace with the name of your Key Vault secret
+          value: REPLACE_WITH_SECRET_NAME
+  restartPolicy: Never