Managed Identities for Azure Kubernetes AI Services

Question

Pulumi · Accepted Answer

Managed identities in Azure provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Azure Kubernetes Service (AKS) can use managed identities to allow the Kubernetes cluster to interact with other Azure services securely. This means AKS can manage credentials for container workloads without putting secrets directly into your container images or application code.

In Azure, AI services can leverage managed identities in AKS for scenarios such as accessing Azure Container Registry, Cosmos DB, or other Azure services that support Azure AD authentication. By using managed identities, you eliminate the need for credentials to be stored in your application, improving security.

Below is a Pulumi program written in Python that sets up an Azure Kubernetes Service (AKS) cluster with a managed identity. The managed identity created here could then be used to grant the AKS-managed Kubernetes clusters the required permissions to interact with Azure AI services or other Azure resources.

Let's go through the program step by step:

1. We'll first import the necessary Pulumi packages.
2. Then we'll create a resource group, which is a container that holds related resources for an Azure solution.
3. After that, we create the managed identity.
4. Then, we set up an AKS cluster and specify the managed identity to be used with the cluster.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a new resource group to contain all resources.
resource_group = azure_native.resources.ResourceGroup('my-resource-group')

# Create an Azure AD application for AKS.
ad_app = azure_native.authorization.Application('aks-app')

# Create a service principal for the Azure AD application.
ad_sp = azure_native.authorization.ServicePrincipal(
    'aks-sp',
    application_id=ad_app.application_id
)

# Next step is to create the managed identity.
managed_identity = azure_native.managedidentity.UserAssignedIdentity(
    'my-aks-identity',
    resource_group_name=resource_group.name
)

# Create an AKS cluster using the managed identity.
aks_cluster = azure_native.containerservice.ManagedCluster(
    'my-aks-cluster',
    resource_group_name=resource_group.name,
    agent_pool_profiles=[{
        'count': 3,
        'vm_size': 'Standard_DS2_v2',
        'name': 'agentpool'  # Name for the agent pool
    }],
    dns_prefix='myakscluster',
    identity={
        'type': 'UserAssigned',
        'user_assigned_identities': {
            managed_identity.id: {}
        }
    },
    service_principal_profile={
        'client_id': ad_sp.application_id
    }
)

# Export the AKS cluster name
pulumi.export('aks_cluster_name', aks_cluster.name)
```

In this program:

- We define a `ResourceGroup` which is a logical container for our resources.
- We create an Azure AD application and service principal that the AKS cluster can use for Azure AD integration.
- A `UserAssignedIdentity` named `my-aks-identity` is then created, which we'll associate with our AKS cluster.
- We create the AKS cluster with `ManagedCluster`, associate the managed identity we created, and specify the service principal details.
- An agent pool profile defines the size and number of VMs in the AKS cluster's agent pool.

By associating the managed identity with the AKS cluster, you no longer need to manage service principal credentials; instead, the AKS cluster can use this identity to access other Azure services that support Azure AD authentication. This provides a secure and manageable way for your AKS cluster to interact with Azure resources.

By using Pulumi, you can easily manage, version, and replicate complex cloud environments by expressing them as code. These code blocks act as living documentation for your infrastructure, making it easier to understand and maintain.

Remember to replace the placeholder names like `my-resource-group`, `my-aks-identity`, and `myakscluster` with names that are appropriate for your usage. Before running the program, make sure you are logged in to Pulumi and have the appropriate permissions set up in Azure. After running this Pulumi program with `pulumi up`, the command-line interface will display the outputs, including the Kubernetes cluster name.