We are planning to deploy multiple applications on our single Azure kubernetes cluster, each application will have its own set of Azure resources - eg: Key vault, Storage.
I am planning to provision individual managed identities per application and provide access to the relevant resources.
I know that AZURE AAD POD identify is the way to configure the pod to make use of the managed identity to access the Azure resources.
However how do I add multiple managed identity into the Azure kubernetes cluster? and is this the right of implementing?
As I mentioned before, I don't think you can add multiple MSIs to the cluster, you can just use a system-assigned MSI or user-assigned MSI for it.
Reference - Use managed identities in Azure Kubernetes Service
In your case, if you want to use different service principals to authenticate(essentially MSI is also a service principal managed by Azure), you can create multiple AD Apps along with the service principals.
Reference - How to: Use the portal to create an Azure AD application and service principal that can access resources
Then in the code of every application, use ClientSecretCredential to authenticate.
ClientSecretCredential credential1 = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();Then use the credential to create a client e.g. SecretClient .
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(credential1)
.buildClient();