There are **two** methods for authentication; select the one which applies to you:

- [**4A - Managed identity**](/halo/aks-step-4#4a---managed-identity) **(recommended)**  
- [**4B - Service principal**](/halo/aks-step-4#4b---service-principal)  
  - Use this method only if managed identities are not available or not desired in your cluster.

---

## 4A - Managed identity

If your AKS cluster was not created with managed identities, this can be added via:

```shell
az aks update -g "${rgp}" -n "${aksname}" --enable-managed-identity
```

To sync Key Vault secrets to Kubernetes secrets, the AKS kubelet identity needs **get** and **list** access to Key Vault.

- First, retrieve the object ID of the kubelet identity:

```shell
az aks show -g "${rgp}" -n "${aksname}"
```

This will return a large JSON response. Scroll until you find:

```
identityProfile → kubeletidentity → objectId
```

![](/.attachments/image-1669277988207.png)

- Now set access permissions on the Key Vault:

```shell
az keyvault set-policy --name "${kvname}" --object-id "${objectid}" --secret-permissions get list
```

---

## 4B - Service principal

If you are using a service principal, you will need:

- `objectId`
- `appId`
- `tenantId`
- `clientSecret`

These can all be found in **Azure Active Directory**.

```shell
az keyvault set-policy --name "${kvname}" --object-id "${objectid}" --secret-permissions get list
```

- Create the Kubernetes secret:

```shell
kubectl create secret generic keyvault-service-principal \
  --from-literal=ClientID="${appid}" \
  --from-literal=ClientSecret="${clientsecret}"
```

* * *


<!-- markdownlint-disable MD033 -->
<div class="text--center margin-top--lg" style={{display: 'flex', justifyContent: 'center', gap: '12px'}}>
  <a href="/halo/aks-step-5" class="button button--primary">
    Continue
  </a>

  <a href="https://www.glasswall.com/support" class="button button--primary button--lg">
    Need help?
  </a>
</div>
<!-- markdownlint-disable MD033 -->