7. Configure Application Gateway Identity
Find the Ingress / Application Gateway Identity
When the Kubernetes cluster is deployed (using Terraform), it is configured to use an Application Gateway Ingress Controller (AGIC), which is attached to the Application Gateway that was also created using Terraform.
During the deployment process, Azure Kubernetes Service creates a so called Managed Identity specific to the AGIC which controls the permissions in the Azure subscription.
This identity is not created in the environment specific Resource Group, but in a secondary Resource Group, managed by Azure Kubernetes Service. The secondary group uses the following convention:
MC_ar-<env>-env_ar-<env>-cluster_eastus
Example:
MC_ar-uat-env_ar-uat-cluster_eastus
From the Azure CLI, the above mentioned identity can be found using the following command:
az identity show \
--name ingressapplicationgateway-ar-<env>-cluster \
--resource-group "MC_ar-<env>-env_ar-<env>-cluster_eastus" \
--query "clientId"
The first role we need to assign to the extracted clientId is the Reader of the Resource Group where the environment specific resources are created in.
az role assignment create \
--role Reader \
--scope /subscriptions/<subscription-id>/resourceGroups/ar-<env>-env \
--assignee <clientId>
az role assignment create \
--role Contributor \
--scope /subscriptions/<subscription-id>/resourceGroups/ar-<env>-env/providers/Microsoft.Network/applicationGateways/ar-<env>-app-gw \
--assignee <clientId>
Example:
az identity show \
--name ingressapplicationgateway-ar-uat-cluster \
--resource-group "MC_ar-uat-env_ar-uat-cluster_eastus" \
--query "clientId"
az role assignment create \
--role Reader \
--scope /subscriptions/35ddf877-eb02-420f-97e8-81f584388517/resourceGroups/ar-uat-env \
--assignee <clientId>
az role assignment create \
--role Contributor \
--scope /subscriptions/35ddf877-eb02-420f-97e8-81f584388517/resourceGroups/ar-uat-env/providers/Microsoft.Network/applicationGateways/ar-uat-app-gw \
--assignee <clientId>