Microsoft ABS Workload Identity
With Microsoft ABS Workload Identity, Ververica Platform and its Flink jobs access Azure Blob Storage on AKS using a federated managed identity. No connection string, account key, or Kubernetes secret is required. This feature applies to Ververica Platform self-managed on AKS.
Prerequisites
Before you configure Workload Identity, ensure the following are in place:
- An AKS cluster with the OIDC issuer and Workload Identity enabled.
- A standard (GPv2) Azure storage account and a blob container. Hierarchical Namespace (HNS) is not required.
- A user-assigned managed identity that holds the Storage Blob Data Contributor role on the storage account.
- A federated credential on that managed identity for each Ververica Platform service account the chart deploys, using the subject
system:serviceaccount:<namespace>:<service-account>and audienceapi://AzureADTokenExchange.
Service Accounts
The chart deploys the following service accounts, each of which requires a federated credential:
| Namespace | Service Account |
|---|---|
vvp-system | vvp-appmanager |
vvp-system | vvp-gateway |
vvp-system | flink-vvp-sa-vvc |
vvp-system | flink-vvp-sql-jar-nginx-sa-vvc |
vvp-system | vvp-autopilot |
vvp-deploy | flink-job-sa-vvc (Flink JobManager) |
vvp-deploy | vvr-task-manager-vvc (Flink TaskManager) |
Create a federated credential for each service account using the following script:
# Replace the identity name, resource group, and OIDC issuer with your own.
AKS_OIDC_ISSUER=$(az aks show -g <resource-group> -n <aks-cluster> \
--query "oidcIssuerProfile.issuerUrl" -o tsv)
for entry in \
"vvp-system:vvp-appmanager" \
"vvp-system:vvp-gateway" \
"vvp-system:flink-vvp-sa-vvc" \
"vvp-system:flink-vvp-sql-jar-nginx-sa-vvc" \
"vvp-system:vvp-autopilot" \
"vvp-deploy:flink-job-sa-vvc" \
"vvp-deploy:vvr-task-manager-vvc"; do
ns="${entry%%:*}"; sa="${entry##*:}"
az identity federated-credential create \
--name "vvp-${ns}-${sa}" \
--identity-name <your-managed-identity> \
--resource-group <resource-group> \
--issuer "$AKS_OIDC_ISSUER" \
--subject "system:serviceaccount:${ns}:${sa}" \
--audience api://AzureADTokenExchange
done
Adjust vvp-system and vvp-deploy to match your Helm release namespace and deployment namespace if they differ from the defaults.
Helm Configuration
Add the following to your Helm values file:
global:
blobStorage:
baseUri: wiaz://<blob-container-name>@<your-account-name>.blob.core.windows.net/<path>
workloadIdentity:
azure:
clientId: xxxx-xxxx-xxxx-xxxx
# tenantId: yyyy-yyyy-yyyy-yyyy # optional
You do not need to provide any credentials. You only need to provide your managed identity's clientId and, optionally, the tenantId. A non-empty clientId enables Workload Identity. Set tenantId only when the managed identity is in a different tenant than the AKS OIDC issuer.
With these values, the chart automatically annotates the five vvp-system service accounts with azure.workload.identity/client-id and labels the platform service pods with azure.workload.identity/use: "true". Ververica Platform (AppManager, Gateway, and so on) then accesses Azure Blob Storage without further action.
Configure Flink Jobs
The Flink JobManager and TaskManager run under their own service accounts in the deployment namespace (vvp-deploy by default). Two additional steps are required to enable Workload Identity for your jobs.
Annotate the Deployment-Namespace Service Accounts
The chart creates flink-job-sa-vvc and vvr-task-manager-vvc but does not annotate them. Add the client-id annotation to both. Each must also have a federated credential, as listed in Prerequisites.
for sa in flink-job-sa-vvc vvr-task-manager-vvc; do
kubectl -n vvp-deploy annotate sa "$sa" \
azure.workload.identity/client-id="<your-client-id>" --overwrite
done
Add the Workload Identity Label to Your Deployment
Add the azure.workload.identity/use: "true" label to the JobManager and TaskManager pods through the deployment's flinkConfiguration:
spec:
template:
spec:
flinkConfiguration:
kubernetes.jobmanager.labels: azure.workload.identity/use:true
kubernetes.taskmanager.labels: azure.workload.identity/use:true
Do not set fs.azure.account.auth.type or fs.azure.account.oauth.provider.type in flinkConfiguration. The wiaz filesystem plugin acquires tokens on its own. Overriding these settings breaks checkpointing.
If you run Flink jobs in a namespace other than vvp-deploy, or point a deployment at a service account other than the chart defaults, create the service account and its federated credential in that namespace and apply the same client-id annotation.