Enable secure settings in Azure IoT Operations
The secure settings for Azure IoT Operations include the setup of secrets management and a user-assigned managed identity for cloud connections; for example, an OPC UA server or dataflow endpoints.
This article provides instructions for enabling secure settings if you didn't do so during your initial deployment.
Prerequisites
An Azure IoT Operations instance deployed with test settings. For example, you chose Test Settings when following the instructions in Deploy Azure IoT Operations to an Arc-enabled Kubernetes cluster.
Azure CLI installed on your development machine. This scenario requires Azure CLI version 2.64.0 or higher. Use
az --version
to check your version andaz upgrade
to update if necessary. For more information, see How to install the Azure CLI.The latest version of the connectedk8s extension for Azure CLI. Use the following command to add the extension or update it to the latest version:
az extension add --upgrade --name connectedk8s
The Azure IoT Operations extension for Azure CLI. Use the following command to add the extension or update it to the latest version:
az extension add --upgrade --name azure-iot-ops
Enable the cluster for secure settings
Before you enable secrets synchronization for your Azure IoT Operations instance, enable your cluster as an OIDC issuer and for workload identity federation. This step is required for the Secret Store extension to sync the secrets from an Azure key vault and store them on the edge as Kubernetes secrets.
az connectedk8s update -n <CLUSTER_NAME> -g <RESOURCE_GROUP> --enable-oidc-issuer --enable-workload-identity
If you're using the k3s distribution of Kubernetes, you need to add the service-account-issuer
and service-account-max-token-expiration
arguments to the kube-apiserver. To add these settings, follow these steps:
Get the cluster's issuer URL.
az connectedk8s show -g <RESOURCE_GROUP> -n <CLUSTER_NAME> --query oidcIssuerProfile.issuerUrl --output tsv
Make a note of the output from this command to use in the next steps.
Create the k3s config file:
sudo nano /etc/rancher/k3s/config.yaml
Add the following content to the
config.yaml
file, replacing the<SERVICE_ACCOUNT_ISSUER>
placeholder with the cluster issuer URL you made a note of previously:kube-apiserver-arg: - service-account-issuer=<SERVICE_ACCOUNT_ISSUER> - service-account-max-token-expiration=24h
Save the file and exit the nano editor.
Restart the k3s service:
sudo systemctl restart k3s
Set up secrets management
Secrets management for Azure IoT Operations uses the Secret Store extension to sync the secrets from an Azure key vault and store them on the edge as Kubernetes secrets. The Secret Store extension requires a user-assigned managed identity with access to the Azure key vault where secrets are stored. To learn more, see What are managed identities for Azure resources?.
To set up secrets management:
Create an Azure key vault that's used to store secrets, and give your user account permissions to manage secrets with the
Key Vault Secrets Officer
role.Create a user-assigned managed identity for the Secret Store extension.
Use the az iot ops secretsync enable command to set up the Azure IoT Operations instance for secret synchronization. This command:
- Creates a federated identity credential by using the user-assigned managed identity.
- Adds a role assignment to the user-assigned managed identity for access to the Azure key vault.
- Adds a minimum secret provider class associated with the Azure IoT Operations instance.
# Variable block AIO_INSTANCE_NAME="<AIO_INSTANCE_NAME>" RESOURCE_GROUP="<RESOURCE_GROUP>" USER_ASSIGNED_MI_NAME="<USER_ASSIGNED_MI_NAME>" KEYVAULT_NAME="<KEYVAULT_NAME>" #Get the resource ID of the user-assigned managed identity USER_ASSIGNED_MI_RESOURCE_ID=$(az identity show --name $USER_ASSIGNED_MI_NAME --resource-group $RESOURCE_GROUP --query id --output tsv) #Get the resource ID of the key vault KEYVAULT_RESOURCE_ID=$(az keyvault show --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP --query id --output tsv) #Enable secret synchronization az iot ops secretsync enable --instance $AIO_INSTANCE_NAME \ --resource-group $RESOURCE_GROUP \ --mi-user-assigned $USER_ASSIGNED_MI_RESOURCE_ID \ --kv-resource-id $KEYVAULT_RESOURCE_ID
Now that secret synchronization setup is complete, you can refer to Manage secrets for your Azure IoT Operations deployment to learn how to use secrets with Azure IoT Operations.
Set up a user-assigned managed identity for cloud connections
Some Azure IoT Operations components, like dataflow endpoints, use a user-assigned managed identity for cloud connections. We recommend that you use a separate identity from the one that you used to set up secrets management.
Create a user-assigned managed identity that's used for cloud connections.
Note
You'll need to grant the identity permission to whichever cloud resource you'll use the managed identity for.
Use the az iot ops identity assign command to assign the identity to the Azure IoT Operations instance. This command also creates a federated identity credential by using the OIDC issuer of the indicated connected cluster and the Azure IoT Operations service account.
# Variable block AIO_INSTANCE_NAME="<AIO_INSTANCE_NAME>" RESOURCE_GROUP="<RESOURCE_GROUP>" USER_ASSIGNED_MI_NAME="<USER_ASSIGNED_MI_NAME FOR CLOUD CONNECTIONS>" #Get the resource ID of the user-assigned managed identity USER_ASSIGNED_MI_RESOURCE_ID=$(az identity show --name $USER_ASSIGNED_MI_NAME --resource-group $RESOURCE_GROUP --query id --output tsv) #Assign the identity to the Azure IoT Operations instance az iot ops identity assign --name $AIO_INSTANCE_NAME \ --resource-group $RESOURCE_GROUP \ --mi-user-assigned $USER_ASSIGNED_MI_RESOURCE_ID
Now you can use this managed identity in dataflow endpoints for cloud connections.