Quickstart: Create a service connection in AKS cluster with the Azure CLI

This quickstart shows you how to connect Azure Kubernetes Service (AKS) to other Cloud resources using Azure CLI and Service Connector. Service Connector lets you quickly connect compute services to cloud services, while managing your connection's authentication and networking settings.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This quickstart requires version 2.30.0 or higher of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
• This quickstart assumes that you already have an AKS cluster. If you don't have one yet, create an AKS cluster.
• This quickstart assumes that you already have an Azure Storage account. If you don't have one yet, create an Azure Storage account.

Initial set-up

1. If you're using Service Connector for the first time, start by running the command az provider register to register the Service Connector and Kubernetes Configuration resource providers.

   az provider register -n Microsoft.ServiceLinker
   

   az provider register -n Microsoft.KubernetesConfiguration
   

   Tip

   You can check if these resource providers have already been registered by running the commands az provider show -n "Microsoft.ServiceLinker" --query registrationState and az provider show -n "Microsoft.KubernetesConfiguration" --query registrationState.

2. Optionally, use the Azure CLI command to get a list of supported target services for AKS cluster.

   az aks connection list-support-types --output table
   

Create a service connection

Using a workload identity

Important

Using Managed Identity requires you have the permission to Microsoft Entra ID role assignment. If you don't have the permission, your connection creation will fail. You can ask your subscription owner for the permission or use an access key to create the connection.

Use the Azure CLI command to create a service connection to a Blob Storage with a workload identity, providing the following information:

• Source compute service resource group name: the resource group name of the AKS cluster.
• AKS cluster name: the name of your AKS cluster that connects to the target service.
• Target service resource group name: the resource group name of the Blob Storage.
• Storage account name: the account name of your Blob Storage.
• User-assigned identity resource ID: the resource ID of the user assigned identity that is used to create workload identity

az aks connection create storage-blob \
    --workload-identity <user-identity-resource-id>

Note

If you don't have a Blob Storage, you can run az aks connection create storage-blob --new --workload-identity <user-identity-resource-id>" to provision a new one and get connected to your function app straightaway.

Using an access key

Warning

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

Run the following Azure CLI command to create a service connection to an Azure Blob Storage with an access key, providing the following information.

az aks connection create storage-blob --secret

Provide the following information as prompted:

• Source compute service resource group name: the resource group name of the AKS cluster.
• AKS cluster name: the name of your AKS cluster that connects to the target service.
• Target service resource group name: the resource group name of the Blob Storage.
• Storage account name: the account name of your Blob Storage.

Note

If you don't have a Blob Storage, you can run az aks connection create storage-blob --new --secret to provision a new one and connect it to your AKS cluster.

View connections

Use the Azure CLI az aks connection list command to list connections to your AKS Cluster, providing the following information:

• Source compute service resource group name: the resource group name of the AKS cluster.
• AKS cluster name: the name of your AKS cluster that connects to the target service.

az aks connection list \
    -g "<your-aks-cluster-resource-group>" \
    -n "<your-aks-cluster-name>" \
    --output table

Next steps

Go to the following tutorials to start connecting AKS cluster to Azure services with Service Connector.

Tutorial: Connect to Azure Key Vault using CSI driver

Tutorial: Connect to Azure Storage using workload identity