Microsoft DevOps Engineer Expert AZ-400 Practice Question
Your team runs multiple independent microservices in Azure Kubernetes Service (AKS). Each microservice requires a distinct Azure AD identity for audited access to its own secrets in Azure Key Vault. A key security requirement is that no credentials, like secrets or certificates, are stored within the Kubernetes cluster, and that any underlying service credentials are automatically rotated by Azure. Which identity mechanism best meets these requirements?
Enable the system-assigned managed identity on the AKS cluster and grant it access to all the required Key Vaults.
Create a single Azure AD service principal and mount its client secret into each microservice pod using Kubernetes secrets.
Create a single user-assigned managed identity, grant it access to all necessary Key Vaults, and assign it to all microservices.
For each microservice, create a user-assigned managed identity and use AKS Workload Identity to associate it with the microservice's Kubernetes service account.
AKS Workload Identity is the recommended method for providing Azure AD identities to workloads running in Kubernetes. By creating a separate user-assigned managed identity for each microservice, you satisfy the requirement for distinct, auditable identities. Using Workload Identity to federate these identities with Kubernetes service accounts allows pods to acquire Azure AD tokens without storing any static credentials in the cluster. Azure manages the underlying credentials for the managed identities, ensuring they are automatically rotated. A single system-assigned identity for the entire cluster would not provide the required per-microservice granularity. Using a service principal with a Kubernetes secret introduces static credentials that must be manually rotated.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AKS Workload Identity and how does it function?
Open an interactive chat with Bash
What are the advantages of using user-assigned managed identities in AKS?
Open an interactive chat with Bash
Why is storing static credentials in a Kubernetes cluster discouraged?
Open an interactive chat with Bash
What is AKS Workload Identity?
Open an interactive chat with Bash
Why is user-assigned managed identity better for microservices?
Open an interactive chat with Bash
What are the drawbacks of using Kubernetes secrets to store credentials?
Open an interactive chat with Bash
Microsoft DevOps Engineer Expert AZ-400
Develop a security and compliance plan
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .