How-To: Configure the Azure cloud provider with Azure workload identity

Learn how to configure the Azure provider with Azure workload identity for your Radius Environment

Prerequisites

Azure subscription
az CLI
rad CLI
Setup a supported Kubernetes cluster
- You will need the cluster’s OIDC Issuer URL. AKS Example
Azure AD Workload Identity installed in your cluster, including the Mutating Admission Webhook

Setup the Azure Workload Identity for Radius

To authorize Radius to connect to Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the radius-system namespace and the OIDC Issuer for your Kubernetes cluster.

Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity.

if [ "$#" -ne 4 ]; then
    echo "Usage: $0 <K8S_CLUSTER_NAME> <AZURE_RESOURCE_GROUP> <AZURE_SUBSCRIPTION_ID> <OIDC_ISSUER_URL>"
    exit 1
fi

export K8S_CLUSTER_NAME=$1
export AZURE_RESOURCE_GROUP=$2
export AZURE_SUBSCRIPTION_ID=$3
export SERVICE_ACCOUNT_ISSUER=$4

# Create the Entra ID Application
export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app"
az ad app create --display-name "${APPLICATION_NAME}"

# Get the client ID and object ID of the application
export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)"
export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)"

# Create the applications-rp federated credential for the application
cat <<EOF > params-applications-rp.json
{
  "name": "radius-applications-rp",
  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
  "subject": "system:serviceaccount:radius-system:applications-rp",
  "description": "Kubernetes service account federated credential for applications-rp",
  "audiences": [
    "api://AzureADTokenExchange"
  ]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json

# Create the bicep-de federated credential for the application
cat <<EOF > params-bicep-de.json
{
  "name": "radius-bicep-de",
  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
  "subject": "system:serviceaccount:radius-system:bicep-de",
  "description": "Kubernetes service account federated credential for bicep-de",
  "audiences": [
    "api://AzureADTokenExchange"
  ]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json

# Create the ucp federated credential for the application
cat <<EOF > params-ucp.json
{
  "name": "radius-ucp",
  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
  "subject": "system:serviceaccount:radius-system:ucp",
  "description": "Kubernetes service account federated credential for ucp",
  "audiences": [
    "api://AzureADTokenExchange"
  ]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json

# Set the permissions for the application
az ad sp create --id ${APPLICATION_CLIENT_ID}
az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}"

Now that the setup is complete, you can now install Radius with Azure workload identity enabled.

Interactive configuration

Initialize a new environment with rad init --full:
```
rad init --full
```
Follow the prompts, specifying:
- Namespace - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, radius-system)
- Add an Azure provider
  1. Pick the subscription and resource group to deploy your Azure resources to.
  2. Select the “Workload Identity” option
  3. Enter the appId and the tenantID of the Entra ID Application
- Environment name - The name of the environment to create
You should see the following output:
```
Initializing Radius...

✅ Install Radius edge
   - Kubernetes cluster: k3d-k3s-default
   - Kubernetes namespace: radius-system
   - Azure credential: WorkloadIdentity                                                       
   - Client ID: **********
✅ Create new environment default
   - Kubernetes namespace: default
   - Azure: subscription ***** and resource group ***
✅ Scaffold application samples
✅ Update local configuration

Initialization complete! Have a RAD time 😎
```

Manual configuration

Use rad install kubernetes to install Radius with Azure workload identity enabled:
```
rad install kubernetes --set global.azureWorkloadIdentity.enabled=true
```

Create your resource group and environment:

rad group create default
rad env create default

Use rad env update to update your Radius Environment with your Azure subscription ID and Azure resource group:

rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group  myAzureResourceGroup

Use rad credential register azure wi to add the Azure workload identity credentials:
```
rad credential register azure wi --client-id myClientId --tenant-id myTenantId
```
Radius will use the provided client-id for all interactions with Azure, including Bicep and Recipe deployments.

Feedback

Was this page helpful?

Glad to hear it! Please feel free to star our repo and join our Discord server to stay up to date with the project.

Sorry to hear that. If you would like to also contribute a suggestion visit and tell us how we can improve.