Docs Home
Viewing docs for
Self-ManagedNot available for BYOC

Microsoft ABS Workload Identity

On this page

With Microsoft ABS Workload Identity, Ververica Platform and its Flink jobs access Azure Blob Storage on AKS using a federated managed identity. No connection string, account key, or Kubernetes secret is required. This feature applies to Ververica Platform self-managed on AKS.

Prerequisites

Before you configure Workload Identity, ensure the following are in place:

  • An AKS cluster with the OIDC issuer and Workload Identity enabled.
  • A standard (GPv2) Azure storage account and a blob container. Hierarchical Namespace (HNS) is not required.
  • A user-assigned managed identity that holds the Storage Blob Data Contributor role on the storage account.
  • A federated credential on that managed identity for each Ververica Platform service account the chart deploys, using the subject system:serviceaccount:<namespace>:<service-account> and audience api://AzureADTokenExchange.

Service Accounts

The chart deploys the following service accounts, each of which requires a federated credential:

NamespaceService Account
vvp-systemvvp-appmanager
vvp-systemvvp-gateway
vvp-systemflink-vvp-sa-vvc
vvp-systemflink-vvp-sql-jar-nginx-sa-vvc
vvp-systemvvp-autopilot
vvp-deployflink-job-sa-vvc (Flink JobManager)
vvp-deployvvr-task-manager-vvc (Flink TaskManager)

Create a federated credential for each service account using the following script:

BASH
1# Replace the identity name, resource group, and OIDC issuer with your own.
2AKS_OIDC_ISSUER=$(az aks show -g <resource-group> -n <aks-cluster> \
3  --query "oidcIssuerProfile.issuerUrl" -o tsv)
4for entry in \
5  "vvp-system:vvp-appmanager" \
6  "vvp-system:vvp-gateway" \
7  "vvp-system:flink-vvp-sa-vvc" \
8  "vvp-system:flink-vvp-sql-jar-nginx-sa-vvc" \
9  "vvp-system:vvp-autopilot" \
10  "vvp-deploy:flink-job-sa-vvc" \
11  "vvp-deploy:vvr-task-manager-vvc"; do
12  ns="${entry%%:*}"; sa="${entry##*:}"
13  az identity federated-credential create \
14    --name "vvp-${ns}-${sa}" \
15    --identity-name <your-managed-identity> \
16    --resource-group <resource-group> \
17    --issuer "$AKS_OIDC_ISSUER" \
18    --subject "system:serviceaccount:${ns}:${sa}" \
19    --audience api://AzureADTokenExchange
20done

Helm Configuration

Add the following to your Helm values file:

YAML
1global:
2  blobStorage:
3    baseUri: wiaz://<blob-container-name>@<your-account-name>.blob.core.windows.net/<path>
4  workloadIdentity:
5    azure:
6      clientId: xxxx-xxxx-xxxx-xxxx
7      # tenantId: yyyy-yyyy-yyyy-yyyy   # optional

You do not need to provide any credentials. You only need to provide your managed identity&#x27;s clientId and, optionally, the tenantId. A non-empty clientId enables Workload Identity. Set tenantId only when the managed identity is in a different tenant than the AKS OIDC issuer.

With these values, the chart automatically annotates the five vvp-system service accounts with azure.workload.identity/client-id and labels the platform service pods with azure.workload.identity/use: "true". Ververica Platform (AppManager, Gateway, and so on) then accesses Azure Blob Storage without further action.

The Flink JobManager and TaskManager run under their own service accounts in the deployment namespace (vvp-deploy by default). Two additional steps are required to enable Workload Identity for your jobs.

Annotate the Deployment-Namespace Service Accounts

The chart creates flink-job-sa-vvc and vvr-task-manager-vvc but does not annotate them. Add the client-id annotation to both. Each must also have a federated credential, as listed in Prerequisites.

BASH
1for sa in flink-job-sa-vvc vvr-task-manager-vvc; do
2  kubectl -n vvp-deploy annotate sa "$sa" \
3    azure.workload.identity/client-id="<your-client-id>" --overwrite
4done

Add the Workload Identity Label to Your Deployment

Add the azure.workload.identity/use: "true" label to the JobManager and TaskManager pods through the deployment&#x27;s flinkConfiguration:

YAML
1spec:
2  template:
3    spec:
4      flinkConfiguration:
5        kubernetes.jobmanager.labels: azure.workload.identity/use:true
6        kubernetes.taskmanager.labels: azure.workload.identity/use:true
Was this helpful?