Connecting to an AKS Cluster Non Interactivity — Part 4

Sequence Flow

First let’s just walk through the sequence of what our code is going to do.

  1. We’ll call the MS Identity Platform User Realm API with our UPN e.g. clusteruser@adrianhyneshotmail.onmicrosoft.com. This API will tell us information about this user in terms of whether the account is managed or federated. If federated, it will return the federated Identity Provider (IdP) URL (can be an on prem address) and also the metadata exchange api url.
  2. [If account federated] We’ll then call the metadata exchange api to see what SAML (Security Assertion Markup Language) protocols the the Idp supports
  3. [If account is federated] We’ll now call the Idp endpoint with our credentials and it will return SAML assertion blob of data
  4. [If account is federated] we’ll then call exchange the SAML assert blob for an access token via the OAuth2 flow with a scope of openid, grant type of a saml type. The client in this case will be the default X Platform static ID and the Resource will be ARM (http://management.azure.com/).
  5. [If not federated] we’ll call the username and password OAuth2 flow to retrieve an access token. We’ll use the same client id and resource as 4.
  6. Using the access token obtained vie federated or managed, we next call the azure api to get a skeleton kubconfig file.
  7. Now we extract the apiserver-id and client-id, and we’ll call either Step 4 (Federated) or Step 7 (Managed) again but using the client-id we extracted from the kubconfig file returned in 6 as the client id and the apiserver-id we extracted in 6 as the resource in our OAuth2 flow. This will return an access token, refresh token, expires in and expires on. We’ll just simply add this to our kubeconfig file.
  8. Now we can just use kubectl without the Interactive Authentication flow.

Language

Although Go would seem the ideal choice as we would create our own simple CLI or better still we could create a Kubectl plugin, but I’m going to choose Python, for the only reason that Microsoft’s Active Directory Authentication Library for Go doesn’t have a username and password library for SAML Authentication, while Python does.

Code

Please check out the code on GitHub https://github.com/aido123/azaksauth and feel free to contribute.

Demo

Clone the azaksauth repo

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adrian Hynes

Adrian Hynes

48 Followers

Cloud Platform Architect. Opinions and articles on medium are my own.