I created a Kubernetes cluster in Azure (AKS) that uses managed identity (previously named MSI).
I retrieve the identifier of the managed identity :AKS_IDENTITY_ID=$(az aks show -g $AKS_GROUP -n $AKS_NAME --query "identityProfile.kubeletidentity.clientId" --output tsv)
Next I can grant this identity to an Azure Container Registry (ACR) and a key vault :
ACR_ID=<id of the ACR>
az role assignment create --assignee $AKS_IDENTITY_ID --role acrpull --scope $ACR_ID
VAULT_NAME=<name of the vault>
az keyvault set-policy -n $VAULT_NAME --key-permissions encrypt decrypt --spn $AKS_IDENTITY_IDThen all works fine : the cluster can pull Docker images from the ACR, and my pod can decrypt sensitive information using a key contained in the key vault.
Now I will want to grant the same authorizations to the same resources to a AKS cluster created by a customer, eg that the cluster is in the customer tenant, and the ACR and vault are in our tenant.
The previous commands do not work as the identity of the cluster is not in the same tenant, so is not known in the Azure Active Directory of our tenant.
So how to do ?
You can't use Managed Identities across tenants. The service principal only exists in the tenant linked to the subscription. In these cases you need to register an application in your tenant and give them the credentials that they can then use to access your ACR and Key Vault.