Camp Hill, PA 17055


Office Hours: 9:00am - 4:00pm

Eliminate the Secret Rotation Grind with Entra Workload ID in AKS

Azure Kubernetes Service (AKS) has become a popular way to deploy and manage containerized applications in the cloud. One major challenge with running containerized workloads is securely identifying the pods and efficiently managing permissions at scale. Entra Workload Identity in AKS provides a straightforward solution to this common problem.

What is Entra Workload Identity and How Does it Work?

Entra Workload Identity is a service that enables you to automatically issue and manage secure identities for each pod running in your AKS clusters. Instead of having to manually create and configure separate service principals or store credentials in Kubernetes secrets, Workload Identity directly associates an Azure Active Directory-based identity with each individual pod.

This identity can then be used to provide secure access to other Azure services like Key Vault, Storage, Cosmos DB, etc. without ever having to store secrets or credentials in the pod itself. The identity is automatically managed and rotated by the Entra service so you don’t have to worry about expiration or rolling over credentials manually.

Under the hood, Workload Identity utilizes pod identity and managed identity together to accomplish this. Pod identity components in AKS assign a unique identity to each pod, while managed identity enables RBAC controls using that identity. Together, they allow for secure, granular access management at the pod level.

Eliminate the Secret Rotation Grind with Entra Workload ID in AKS Photo Related to IT Work & Cloud Security for Businesses

Streamlined Permission Management

With Workload Identity, permissions are inherently tied to the unique identity associated with each pod. There is no need to manually create and manage separate service principal objects or application registrations for access control. You simply grant RBAC access to the auto-generated workload identity itself rather than a generic service principal. This greatly simplifies permission management in large clusters.

Eliminate the Secret Rotation Grind with Entra Workload ID in AKS Photo Related to IT Work & Cloud Security for Businesses

Eliminates Storing Secrets

Workload ID completely removes the need to store secrets like service principal passwords or API keys in Kubernetes secrets. Pods are automatically issued short-lived identity tokens on startup rather than having to pull credentials from secret objects. This reduces the attack surface and security risks associated with secrets management.

Fine-grained Access Control

Since permissions are linked to the workload identity, you can grant focused access to resources on a per-pod or per-namespace basis. One workload can be restricted from accessing resources that another workload may require, following the principle of least privilege. This allows very precise, fine-grained access controls.

Automatic Key Rotation

The identity keys associated with each pod are automatically rotated by Entra on a frequent basis. This alleviates the manual maintenance overhead of having to track and rotate credentials for all your cluster’s workloads. Keys just seamlessly roll over in the background.

Dedicated Identities Per Pod

Each pod gets its own unique managed identity. In contrast, shared service principals or secrets open up risky overbroad access. With distinct identities, compromising one pod poses minimal risk to others. You get isolation and blast radius control.

Best Practices for Replacing Service Principals

When transitioning existing AKS workloads from using service principals over to Entra Workload Identity, here are some best practices to follow:

With careful incremental rollout planning, you can smoothly transition even large, complex AKS clusters over to fully leverage Workload ID and improve your security posture.

Getting Started with Workload Identity in AKS

Workload Identity makes managing secure access for AKS workloads much easier. To get started, first enable the Entra Workload Identity preview in your AKS cluster through the Azure portal or CLI.

Next, configure your namespaces and pods to have managed identity enabled. You can use pod annotations, labels, or namespace settings to control identity assignment.

Finally, grant the workload identities access to other Azure resources like KeyVaults, Storage accounts, etc. based on namespace, pod labels, or individual pod identities. Restrict access following the principle of least privilege for your workloads.

With just a few simple steps, you can be issuing and leveraging workload identities across your AKS cluster. This eliminates the hassles of service principals and secretes management by linking access controls directly to pod identities.

Workload Identity simplifies permission management, removes secrets, and provides granular, isolated access controls for AKS applications. The automatic managed identity lifecycle rules out many security risks and operational burdens. Any organization running production workloads on AKS should take advantage of Entra’s Workload Identity integration.

Frequently Asked Questions

What are the requirements to use Workload Identity in AKS?

The main requirements are:

  • An AKS cluster running Kubernetes 1.22+
  • Azure AD integration enabled on the AKS cluster
  • Entra Workload Identity preview feature enabled
  • Managed identity configured on namespaces or pods
Does Workload Identity work with Azure AD Pod Identity?

Yes, Workload Identity builds on top of and is meant to replace Azure Pod Identity.

Can I restrict access to resources using Workload Identity?

Yes, you can leverage Azure RBAC to grant granular resource access to workload identities just like any other managed identity. Restrict access on a namespace, label, or per-pod basis.

How often are the workload identity credentials rotated?

Entra automatically rotates the identity credentials on a frequent basis, around every 5-7 days. You don’t have to handle any rotation yourself.

Is Workload Identity available for Kubernetes clusters on other platforms besides AKS?

Currently, Workload Identity is limited to AKS clusters. The integration utilizes Azure AD and managed identities so is tailored for the Azure environment. Support for other platforms may come eventually.

Other Blog Posts & Resources

How To Reduce Standing Privileges: Azure PIM for Admin Role Governance


Secure Azure Architecture: Best Practices for High Performance Security


Secure Your Code: Why SAST Scanning is Now Essential


Simplify Kubernetes Deployments and Increase Reliability with ArgoCD and GitOps

See All Post