Add documentation for Azure workload identity (#1138)

* Add workload identity docs Signed-off-by: Reshma Abdul Rahim <[email protected]> * Add workload identity docs Signed-off-by: Reshma Abdul Rahim <[email protected]> * Updating with wi script Signed-off-by: willdavsmith <[email protected]> * oops Signed-off-by: willdavsmith <[email protected]> * edits Signed-off-by: willdavsmith <[email protected]> * Add dets Signed-off-by: Reshma Abdul Rahim <[email protected]> * Add dets Signed-off-by: Reshma Abdul Rahim <[email protected]> * Fix spelling errors Signed-off-by: Reshma Abdul Rahim <[email protected]> * Fix snippets visualization Signed-off-by: Reshma Abdul Rahim <[email protected]> * Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md Signed-off-by: Reshma Abdul Rahim <[email protected]> * Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md Signed-off-by: Reshma Abdul Rahim <[email protected]> * Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md Co-authored-by: Will <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]> * Address feedback Signed-off-by: Reshma Abdul Rahim <[email protected]> * Fix spelling Signed-off-by: Reshma Abdul Rahim <[email protected]> * Fix spelling Signed-off-by: Reshma Abdul Rahim <[email protected]> --------- Signed-off-by: Reshma Abdul Rahim <[email protected]> Signed-off-by: willdavsmith <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]> Co-authored-by: willdavsmith <[email protected]> Co-authored-by: Will <[email protected]>
radius-project · Jun 21, 2024 · d1d195b · d1d195b
1 parent 7ffc377
commit d1d195b
Show file tree

Hide file tree

Showing 13 changed files with 202 additions and 22 deletions.
diff --git a/.github/config/en-custom.txt b/.github/config/en-custom.txt
@@ -1245,3 +1245,6 @@ ProviderConfigProperties
 enableWebsockets
 websocket
 sp
+azwi
+Entra
+ServiceAccounts
diff --git a/docs/content/guides/author-apps/aws/howto-aws-resources/index.md b/docs/content/guides/author-apps/aws/howto-aws-resources/index.md
@@ -49,7 +49,7 @@ Follow the prompts to install the [control plane services]({{< ref "/concepts/te
 - **Namespace** - When an application is deployed, this is the namespace where your containers and other Kubernetes resources will be run. By default, this will be in the `default` namespace.
 {{% alert title="💡 About namespaces" color="success" %}} When you initialize a Radius Kubernetes environment, Radius installs the control plane resources within    the `radius-system` namespace in your cluster, separate from your applications. The namespace specified in this step will be used for your application deployments.
 {{% /alert %}}
-- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/howto-aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Enter 'y' and follow the instructions. Provide a valid AWS region and the values obtained for IAM Access Key ID and IAM Secret Access Keys.
+- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to [configure the AWS provider]({{< ref "/guides/operations/providers/aws-provider/howto-aws-provider" >}}) with the preferred identity.
 - **Environment name** - The name of the environment to create. You can specify any name with lowercase letters, such as `myawsenv`.
 
 ## Step 3: Create a Bicep file to model AWS Simple Storage Service (S3)

diff --git a/docs/content/guides/author-apps/aws/overview/index.md b/docs/content/guides/author-apps/aws/overview/index.md
@@ -14,7 +14,7 @@ Radius uses the [AWS Cloud Control API](https://docs.aws.amazon.com/cloudcontrol
 
 ## Configure an AWS Provider
 
-The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-aws-provider" >}}).
+The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/aws-provider" >}}).
 
 ## Example
 

diff --git a/docs/content/guides/author-apps/azure/overview/index.md b/docs/content/guides/author-apps/azure/overview/index.md
@@ -12,7 +12,7 @@ Radius Applications are able to connect to and leverage every Azure resource wit
 
 ## Configure an Azure Provider
 
-The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-azure-provider" >}}).
+The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/azure-provider" >}}).
 
 ## Resource library
 

diff --git a/docs/content/guides/deploy-apps/environments/howto-environment/index.md b/docs/content/guides/deploy-apps/environments/howto-environment/index.md
@@ -83,8 +83,8 @@ Radius Environments can be setup with the rad CLI via two paths: interactive or
 
 1. Follow the prompts, specifying:
    - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
-   - **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/howto-azure-provider" >}})
-   - **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/howto-aws-provider" >}})
+   - **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/azure-provider" >}})
+   - **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/aws-provider" >}})
    - **Environment name** - The name of the environment to create
 
    You should see the following output:

diff --git a/docs/content/guides/operations/providers/aws-provider/_index.md b/docs/content/guides/operations/providers/aws-provider/_index.md
@@ -0,0 +1,7 @@
+---
+type: docs
+title: "AWS provider"
+linkTitle: "AWS provider"
+description: "Deploy and connect to AWS resources"
+weight: 300
+---
diff --git a/...ons/providers/howto-aws-provider/index.md → .../aws-provider/howto-aws-provider/index.md b/...ons/providers/howto-aws-provider/index.md → .../aws-provider/howto-aws-provider/index.md
@@ -1,8 +1,8 @@
 ---
 type: docs
-title: "How-To: Configure the AWS cloud provider"
-linkTitle: "Configure AWS provider"
-description: "Learn how to configure the AWS provider for your Radius Environment"
+title: "How-To: Configure the AWS cloud provider with IAM Access key"
+linkTitle: "AWS provider with IAM Access key"
+description: "Learn how to configure the AWS provider with IAM Access key for your Radius Environment"
 weight: 300
 categories: "How-To"
 tags: ["AWS"]

diff --git a/docs/content/guides/operations/providers/azure-provider/_index.md b/docs/content/guides/operations/providers/azure-provider/_index.md
@@ -0,0 +1,7 @@
+---
+type: docs
+title: "Azure provider"
+linkTitle: "Azure providers"
+description: "Deploy and connect to Azure resources"
+weight: 200
+---
diff --git a/...s/providers/howto-azure-provider/index.md → ...provider/howto-azure-provider-sp/index.md b/...s/providers/howto-azure-provider/index.md → ...provider/howto-azure-provider-sp/index.md
@@ -1,9 +1,9 @@
 ---
 type: docs
-title: "How-To: Configure the Azure cloud provider"
-linkTitle: "Configure Azure provider"
-description: "Learn how to configure the Azure provider for your Radius Environment"
-weight: 200
+title: "How-To: Configure the Azure cloud provider with Service Principal"
+linkTitle: "Azure provider with Service Principal"
+description: "Learn how to configure the Azure provider with Service Principal for your Radius Environment"
+weight: 100
 categories: "How-To"
 tags: ["Azure"]
 ---
@@ -29,8 +29,10 @@ The Azure provider allows you to deploy and connect to Azure resources from a se
 
 1. Follow the prompts, specifying:
    - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
-   - **Add an Azure provider** - Pick the subscription and resource group to deploy your Azure resources to
-      Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information.
+   - **Add an Azure provider** 
+      1. Pick the subscription and resource group to deploy your Azure resources to
+      2. Select the "Service Principal" option
+      3. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information.
 
       ```
          {
@@ -85,7 +87,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se
 1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Azure service principal to your Radius installation:
 
     ```bash
-    rad credential register azure --client-id myClientId  --client-secret myClientSecret  --tenant-id myTenantId
+    rad credential register azure sp --client-id myClientId  --client-secret myClientSecret  --tenant-id myTenantId
     ```
 
     Radius will use the provided service principal for all interactions with Azure, including Bicep and Recipe deployments.
diff --git a/...ent/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/...ent/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md
@@ -0,0 +1,97 @@
+---
+type: docs
+title: "How-To: Configure the Azure cloud provider with Azure workload identity"
+linkTitle: "Azure provider with Workload identity"
+description: "Learn how to configure the Azure provider with Azure workload identity for your Radius Environment"
+weight: 200
+categories: "How-To"
+tags: ["Azure"]
+---
+
+The Azure provider allows you to deploy and connect to Azure resources from a self-hosted Radius Environment. It can be configured:
+
+- [Interactively via `rad init`](#interactive-configuration)
+- [Manually via `rad env update` and `rad credential register`](#manual-configuration)
+
+## Prerequisites
+
+- [Azure subscription](https://azure.com)
+- [az CLI](https://aka.ms/azcli)
+- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}})
+- [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}})
+  - You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks)
+- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html)
+
+## Setup the Azure Workload Identity for Radius
+
+To authorize Radius to connect to Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the `radius-system` namespace and the OIDC Issuer for your Kubernetes cluster.
+
+Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity.
+
+{{< rad file="snippets/install-radius-azwi.sh" embed=true lang=bash >}}
+
+Now that the setup is complete, you can now install Radius with Azure workload identity enabled.
+
+## Interactive configuration
+
+1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}):
+
+   ```bash
+   rad init --full
+   ```
+
+1. Follow the prompts, specifying:
+   - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
+   - **Add an Azure provider** 
+      1. Pick the subscription and resource group to deploy your Azure resources to.
+      2. Select the "Workload Identity" option
+      3. Enter the `appId` and the `tenantID` of the Entra ID Application
+   - **Environment name** - The name of the environment to create
+
+   You should see the following output:
+
+      ```
+      Initializing Radius...
+
+      ✅ Install Radius {{< param version >}}
+         - Kubernetes cluster: k3d-k3s-default
+         - Kubernetes namespace: radius-system
+         - Azure credential: WorkloadIdentity                                                       
+         - Client ID: **********
+      ✅ Create new environment default
+         - Kubernetes namespace: default
+         - Azure: subscription ***** and resource group ***
+      ✅ Scaffold application samples
+      ✅ Update local configuration
+
+      Initialization complete! Have a RAD time 😎
+      ```
+
+## Manual configuration
+
+1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with Azure workload identity enabled:
+
+    ```bash
+    rad install kubernetes --set global.azureWorkloadIdentity.enabled=true
+    ```
+
+1. Create your resource group and environment:
+
+    ```bash
+    rad group create default
+    rad env create default
+    ```
+
+1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group:
+
+    ```bash
+    rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group  myAzureResourceGroup
+    ```
+
+1. Use [`rad credential register azure wi`]({{< ref rad_credential_register_azure_wi >}}) to add the Azure workload identity credentials:
+
+    ```bash
+    rad credential register azure wi --client-id myClientId --tenant-id myTenantId
+    ```
+
+    Radius will use the provided client-id for all interactions with Azure, including Bicep and Recipe deployments.
diff --git a/...erations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh b/...erations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh
@@ -0,0 +1,63 @@
+if [ "$#" -ne 4 ]; then
+    echo "Usage: $0 <K8S_CLUSTER_NAME> <AZURE_RESOURCE_GROUP> <AZURE_SUBSCRIPTION_ID> <OIDC_ISSUER_URL>"
+    exit 1
+fi
+
+export K8S_CLUSTER_NAME=$1
+export AZURE_RESOURCE_GROUP=$2
+export AZURE_SUBSCRIPTION_ID=$3
+export SERVICE_ACCOUNT_ISSUER=$4
+
+# Create the Entra ID Application
+export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app"
+az ad app create --display-name "${APPLICATION_NAME}"
+
+# Get the client ID and object ID of the application
+export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)"
+export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)"
+
+# Create the applications-rp federated credential for the application
+cat <<EOF > params-applications-rp.json
+{
+  "name": "radius-applications-rp",
+  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
+  "subject": "system:serviceaccount:radius-system:applications-rp",
+  "description": "Kubernetes service account federated credential for applications-rp",
+  "audiences": [
+    "api://AzureADTokenExchange"
+  ]
+}
+EOF
+az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json
+
+# Create the bicep-de federated credential for the application
+cat <<EOF > params-bicep-de.json
+{
+  "name": "radius-bicep-de",
+  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
+  "subject": "system:serviceaccount:radius-system:bicep-de",
+  "description": "Kubernetes service account federated credential for bicep-de",
+  "audiences": [
+    "api://AzureADTokenExchange"
+  ]
+}
+EOF
+az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json
+
+# Create the ucp federated credential for the application
+cat <<EOF > params-ucp.json
+{
+  "name": "radius-ucp",
+  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
+  "subject": "system:serviceaccount:radius-system:ucp",
+  "description": "Kubernetes service account federated credential for ucp",
+  "audiences": [
+    "api://AzureADTokenExchange"
+  ]
+}
+EOF
+az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json
+
+# Set the permissions for the application
+az ad sp create --id ${APPLICATION_CLIENT_ID}
+az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}"
diff --git a/docs/content/guides/operations/providers/overview/index.md b/docs/content/guides/operations/providers/overview/index.md
@@ -12,9 +12,10 @@ Radius cloud providers allow you to deploy and connect to cloud resources across
 
 {{< image src="providers-overview.png" alt="Diagram of cloud resources getting forwarded to cloud platforms upon deployment" width="800px" >}}
 
-## Supported cloud providers
+## Supported cloud providers and identities
 
-| Provider | Description |
-|----------|-------------|
-| [Microsoft Azure]({{< ref howto-azure-provider >}}) | Deploy and connect to Azure resources |
-| [Amazon Web Services]({{< ref howto-aws-provider >}}) | Deploy and connect to AWS resources |
+| Provider | Identity | Description |
+|----------|----------|-------------|
+| [Microsoft Azure]({{< ref azure-provider >}}) | [Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) | Deploy and connect to Azure resources using Service Principal |
+| | [Workload Identity](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview) | Deploy and connect to Azure resources using Workload Identity |
+| [Amazon Web Services]({{< ref aws-provider >}}) | [IAM access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) | Deploy and connect to AWS resources using IAM Access Key |
diff --git a/docs/content/tutorials/tutorial-recipe/index.md b/docs/content/tutorials/tutorial-recipe/index.md
@@ -154,7 +154,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou
    ```
 1. Manually add the Azure cloud provider to your Radius Environment
 
-   Follow the steps [here]({{< ref "howto-azure-provider#manual-configuration" >}}) to add the Azure cloud provider to your existing environment.
+   Follow the how-to-guides [here]({{< ref "azure-provider" >}}) to add the Azure cloud provider to your existing environment.
 
 1. Register the Recipe to your Radius Environment:
 
@@ -229,7 +229,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou
 
 1. Manually add the AWS cloud provider to your Radius Environment
 
-   Follow the steps [here]({{< ref "howto-aws-provider#manual-configuration" >}}) to add the AWS cloud provider to your existing environment
+   Follow the steps [here]({{< ref "aws-provider" >}}) to add the AWS cloud provider to your existing environment
 
 1. Register the Recipe to your Radius Environment: