Accessing Kubecost with Azure Workload Identity

As of v.2.1.1, Kubecost supports cloud integration via Azure Workload Identity. Consult Microsoft documentation to learn more about how to set up Azure Workload Identity in AKS. For this tutorial, you will need to have the cluster name, resource group, federated identity credential name and the Managed Identity Object ID.

Configuration

Step 1: Validate that OIDC is enabled on the Azure cluster

$ export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"
https://westus.oic.<redacted>.azure.com/<redacted>

Step 2: Assign the Storage Blob Data Contibutor Role to the Managed Identity and scope it to the storage blob container resource that has the cost export

Example:

az role assignment create --assignee "55555555-5555-5555-5555-555555555555" --role "Storage Blob Data Contributor" --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/storage12345"

Step 3: Create the federated credential between the Managed Identity and kubecost-cost-analyzer service account

az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${KUBECOST_NAMESPACE}:kubecost-cost-analyzer

Step 4: Create a JSON file which must be named cloud-integration.json with the following format:

{
    "azure": {
     "storage":[
      {
            "subscriptionID": "AZ_cloud_integration_subscriptionId",
            "account": "AZ_cloud_integration_azureStorageAccount",
            "container": "AZ_cloud_integration_azureStorageContainer",
            "path": "",
            "cloud": "public/gov",
            "authorizer":{
             "authorizerType": "AzureDefaultCredential"
            }
        }
     ]
   }
}

Step 5: Create the secret

$ kubectl create secret generic <SECRET_NAME> --from-file=cloud-integration.json -n kubecost

Step 6: Update the Helm values.yaml with the following and apply changes

kubecostProductConfigs:
  cloudIntegrationSecret: <SECRET_NAME>
kubecostDeployment:
  labels:
    azure.workload.identity/use: "true"
serviceAccount:
  annotations:
    azure.workload.identity/client-id: $AZURE_CLIENT_ID
helm upgrade --install kubecost --repo https://kubecost.github.io/cost-analyzer cost-analyzer --namespace kubecost -f values.yaml

Last updated