Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
You are designing the authentication model for a new Azure Kubernetes Service (AKS) cluster that will host several microservices. The pods must upload and download blobs from an Azure Storage account. Requirements:
Credentials must never be stored in container images, configuration files, or environment variables.
Credential rotation must occur automatically without redeploying the applications. Which solution should you recommend?
Create a service principal for the AKS cluster, store its client secret in cluster-wide secrets, and grant it the Storage Account Key Operator Service Role on the storage account.
Create a user-assigned managed identity, assign it to the AKS node resource group, and grant the identity the Storage Blob Data Contributor role on the storage account.
Generate a shared access signature (SAS) for the storage account and inject it into each pod by using a Kubernetes secret.
Enable Azure AD authentication on the storage account and give every microservice an Azure AD application and client secret stored in Azure Key Vault.
A user-assigned managed identity can be attached to every node pool in the AKS cluster. The AKS control plane automatically injects the identity's OAuth2 token into requests made by the pod, so no keys or secrets are stored in YAML files, container images, or environment variables. Because the identity is managed by Azure AD, its underlying credentials are rotated automatically by the platform. Granting the identity the Storage Blob Data Contributor role on the storage account authorizes read-write access at the data-plane level.
A shared access signature (SAS) or a service principal would meet the functional requirement but the secret must be stored somewhere and you, not Azure, are responsible for rotating it. Using Azure AD-enabled storage with a client secret in Key Vault still leaves you with a secret to store and rotate. Therefore, the managed identity option is the only choice that fully satisfies both requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a user-assigned managed identity in Azure?
Open an interactive chat with Bash
What is the Storage Blob Data Contributor role in Azure?
Open an interactive chat with Bash
Why is credential rotation important in cloud environments?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .