Trusted identity but secretless call to APIM

Problem Statement

In order to prove application identity to Azure API Management (APIM) or any other service, the application needs to present a token. The token can be obtained from Azure Active Directory (AAD) using a client secret or a certificate. However, managing and securing these secrets can be challenging, especially in a cloud-native environment. Workload identity provides a more secure and manageable way to authenticate applications to Azure services. What can be done to leverage workload identity to obtain a token and call APIM or any other service without managing secrets?

Solution

The blog discusses a specific use case on how to use Azure AD workload identity to authenticate Kubernetes workloads to Azure AD and obtain tokens for calling APIM endpoint. This approach eliminates the need for secrets by using federated credentials registered in the managed identity. APIM can validate these tokens, verify claims, and allow or reject requests based on the identity.

Register a dummy application in Azure AD

This application registration is for resource server in the context of OAuth 2.0. We will not be using this app registration for any other purpose.

APIM Policy Explanation

Review policy here https://github.com/srinman/azureexamples/blob/main/aks/workloadidentity/policysample.xml

This policy ensures that only requests with valid tokens from approved managed identities are allowed, enhancing security by verifying the identity of the caller.

Python Program Explanation

Review program here https://github.com/srinman/azureexamples/blob/main/aks/workloadidentity/pysdktokapim.py

The Python program demonstrates how to obtain an access token from Azure AD using the workload identity. This token can then be used to authenticate API calls to APIM.

for deploying this in AKS, follow steps as documented here. https://github.com/srinman/azureexamples/blob/main/aks/workloadidentity/README.md

Summary of the Approach

This approach leverages Azure AD workload identity to securely call Azure API Management (APIM) endpoints from an Azure Kubernetes Service (AKS) cluster. Here’s a detailed summary of the benefits:

1. Secretless Authentication:

   • By using Azure AD workload identity, the need for storing and managing secrets is eliminated. This enhances security by reducing the risk of secret leakage.

2. Federated Credentials:

   • Federated credentials allow the AKS workloads to authenticate to Azure AD without needing to manage service principal credentials. This is achieved by registering a federated credential in the managed identity.

3. Token-Based Access:

   • The Python program demonstrates how to obtain an access token from Azure AD using the workload identity. This token can then be used to authenticate API calls to APIM.

4. APIM Policy for Identity Verification:

   • The APIM policy validates the JWT token included in the API request. It checks the token’s issuer, audience, and required claims to ensure that the request is coming from an approved managed identity.
   • This policy ensures that only requests with valid tokens from specific managed identities are allowed, enhancing security by verifying the identity of the caller.

5. Granular Access Control:

   • By specifying the audience, issuer, and required claims in the APIM policy, granular access control can be enforced. This ensures that only specific AKS clusters, namespaces, and service accounts can access the APIM endpoint.

ACA

This same container can be deployed in Azure Container Apps. You can associate the same user-assigned managed identity to the container app and use the same Python program to obtain the token and call APIM. You need to ensure that you set AZURE_CLIENT_ID and AZURE_TENANT_ID as environment variables in the container app. In AKS, these are automatically set by the mutating webhook.