1

I have a requirement to use Managed identity mechanism to access event hub from Spark streaming application running in kubernetes I am going through azure AAD pod managed identity to connect to Azure event hub and didn’t find any doc regarding event hub

  1. Does azure AAD pod identity support accessing of event hub resource securely using azure active directory.

  2. Can anyone provide steps/code to use event hub with AAD pod

Thanks in advance

nagendra
  • 1,885
  • 3
  • 17
  • 27
  • It should. AAD pod identity really is just [managed identity](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). You'll have to configure correct RBAC permissions for the identity on the Event Hub (Event Hub > IAM > add role assignment). – mmking Sep 20 '20 at 13:16
  • See https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview. There's also a code snippet below for testing (it says web app but you can adapt the code snippet to something appropriate). – mmking Sep 20 '20 at 13:17

1 Answers1

2

Yes, Aad pod identity supports Azure Eventhub Connection. Here are the steps: Firstly, configure your cluster to enable managed identity. Also, this scenario is related to RBAC-disabled clusters.

  • az aks update -g <rg-name> -n <cluster-name> --enable-managed-identity
  • az aks update -g <rg-name> -n <cluster-name> --enable-pod-identity --enable-pod-identity-with-kubenet

After this conf., you can enable aad pod identity:

  • kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/v1.8.13/deploy/infra/deployment.yaml
  • kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/v1.8.13/deploy/infra/mic-exception.yaml

check 3 pods in the default namespace are up & running —> kubectl get po

create aad pod identity with cli:

az aks pod-identity add --resource-group <rg-name>
   --cluster-name <cluster-name> --namespace <your-ns> --name <name> --identity-resource-id <resource-id>
   --binding-selector <name_that_use_in_aks>

checked identity is assigned or not?

az aks show -g <rg-name> -n <cluster-name> | grep -i
   <user-assigned-managed-identiy-name>

If your configuration is valid, Here is the java code sample:

    ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder() //
                        .clientId("your_id") //
                        .maxRetry(1) //
                        .retryTimeout(duration -> Duration.ofMinutes(1)) //
                        .build();
    
EventHubProducerAsyncClient eventHubProducerAsyncClient = new EventHubClientBuilder() //
                        .credential("fullyQualifiedNamespace", "eventhub-name", managedIdentityCredential) //
                        .buildAsyncProducerClient();
EventData eventData = new EventData(message.getBytes(StandardCharsets.UTF_8));
        eventData.setContentType("application/json");
        CreateBatchOptions options = new CreateBatchOptions() //
                .setPartitionKey("1");

        eventHubProducerAsyncClient.createBatch(options) //
                .flatMap(batch -> { //
                    batch.tryAdd(eventData);
                    return eventHubProducerAsyncClient.send(batch);
                }) //
                .subscribe(unused -> {
                }, error -> {
                    LOGGER.error("Error occurred while sending message:" + error);

                    // Omit the exceptions in case sth went wrong while sending merge result
                }, () -> { //
                    LOGGER.debug("Message send successfully.");
                });

For more details:

microsoft related page

aad pod identity related page

ozgen
  • 21
  • 1
  • 6