gMSA on Azure Kubernetes Service

Group Managed Service Accounts (gMSA) can be used on Azure Kubernetes Service (AKS) to support applications that require Active Directory for authentication purposes. The configuration of gMSA on AKS requires you to properly set up the following services and settings: AKS, Azure Key Vault, Active Directory, credential specs, etc. In order to streamline this process, you can use the PowerShell module below. This module was tailor-made for simplifying the process of configuring gMSA on AKS by removing the complexity of setting up different services.

Environment requirements

In order to deploy gMSA on AKS, you will need the following:

Install the gMSA on AKS PowerShell Module

To get started, download the PowerShell Module from the PowerShell gallery:

Install-Module -Name AksGMSA -Repository PSGallery -Force

Note

The gMSA on AKS PowerShell module is constantly updated. If you ran the steps on this tutorial before and is now checking back on new configurations, make sure you update the module to the latest version. More information on the module can be found on the PowerShell Gallery page.

Module requirements

The gMSA on AKS PowerShell module relies on different modules and tools. In order to install these requirements, run the following on an elevated session:

Install-ToolingRequirements

Login with your Azure credential

You will need to be logged in to Azure with your credentials for the gMSA on AKS PowerShell module to properly configure your AKS cluster. To log into Azure via PowerShell, run the following:

Connect-AzAccount -DeviceCode -Subscription "<SUBSCRIPTION_ID>"

You also need to log in with the Azure CLI, as the PowerShell module also uses that in the background:

az login --use-device-code
az account set --subscription "<SUBSCRIPTION_ID>"

Setting up required inputs for gMSA on AKS module

Throughout the configuration of gMSA on AKS many inputs will be needed, such as: Your AKS cluster name, Azure Resource Group name, region to deploy the necessary assets, Active Directory domain name, and much more. To streamline the process below, we created an input command that will gather all the necessary values and store it on a variable that will then be used on the commands below.

To start, run the following:

$params = Get-AksGMSAParameters

After running the command, provide the necessary inputs until the command finishes. From now on, you can simply copy and paste the commands as shown in this page.

Connect to your AKS cluster

While using the gMSA on AKS PowerShell module, you will be connecting to the AKS cluster you want to configure. The gMSA on AKs PowerShell module relies on the kubectl connection. To connect your cluster, run the following: (Notice that because you provided the inputs above, you can simply copy and paste the command below into your PowerShell session).

 Import-AzAksCredential -Force `
 -ResourceGroupName $params["aks-cluster-rg-name"] `
 -Name $params["aks-cluster-name"]

Next steps