Connecting to an AKS Cluster Non Interactivity — Part 4

Finally, he’s going to write some code. Well not just yet.

Sequence Flow

First let’s just walk through the sequence of what our code is going to do.

1. We’ll call the MS Identity Platform User Realm API with our UPN e.g. clusteruser@adrianhyneshotmail.onmicrosoft.com. This API will tell us information about this user in terms of whether the account is managed or federated. If federated, it will return the federated Identity Provider (IdP) URL (can be an on prem address) and also the metadata exchange api url.
2. [If account federated] We’ll then call the metadata exchange api to see what SAML (Security Assertion Markup Language) protocols the the Idp supports
3. [If account is federated] We’ll now call the Idp endpoint with our credentials and it will return SAML assertion blob of data
4. [If account is federated] we’ll then call exchange the SAML assert blob for an access token via the OAuth2 flow with a scope of openid, grant type of a saml type. The client in this case will be the default X Platform static ID and the Resource will be ARM (http://management.azure.com/).
5. [If not federated] we’ll call the username and password OAuth2 flow to retrieve an access token. We’ll use the same client id and resource as 4.
6. Using the access token obtained vie federated or managed, we next call the azure api to get a skeleton kubconfig file.
7. Now we extract the apiserver-id and client-id, and we’ll call either Step 4 (Federated) or Step 7 (Managed) again but using the client-id we extracted from the kubconfig file returned in 6 as the client id and the apiserver-id we extracted in 6 as the resource in our OAuth2 flow. This will return an access token, refresh token, expires in and expires on. We’ll just simply add this to our kubeconfig file.
8. Now we can just use kubectl without the Interactive Authentication flow.

Language

Although Go would seem the ideal choice as we would create our own simple CLI or better still we could create a Kubectl plugin, but I’m going to choose Python, for the only reason that Microsoft’s Active Directory Authentication Library for Go doesn’t have a username and password library for SAML Authentication, while Python does.

Another reason for Python, is that in another article, we’ll explore adding our own extension for the az cli.

Code

Please check out the code on GitHub https://github.com/aido123/azaksauth and feel free to contribute.

Demo

Clone the azaksauth repo

Install the pip module

Run the azaksauth command line with your clusters details.

* Please note the identity must be a tenant user and must be assigned the “Azure Kubernetes Cluster User Role”.

Use Kubectl or Helm as you currently do.

* Note I don’t have any Role Bindings for this user below, hence the permission error

Thanks for sticking around to the end and I hope you have found these set of articles informative and useful, and you can put what you’ve learned about connecting to AKS clusters Non Interactively into practice in the near future.

In the next article, we’re going to explore adding the above as an extension to the Azure az cli.

Check it out here: https://adrianhynes.medium.com/creating-an-azure-az-cli-extension-for-aks-non-interactive-auth-85954147d9b1