Home › Azure AZ-204 › cloudcomputing › az204compute › An AKS cluster needs to give pods authenticated …
An AKS cluster needs to give pods authenticated access to Azure Key Vault WITHOUT mounting service-principal secrets in pods. Which configuration is BEST?
AHardcoding service-principal secrets in environment variables
BWorkload Identity on AKS — federates Kubernetes service accounts to Entra ID identities for short-lived token access
CGranting `Owner` at the subscription level to every pod
DDisabling RBAC on the cluster
Answer & Solution
Correct answer: B. Workload Identity on AKS — federates Kubernetes service accounts to Entra ID identities for short-lived token access
Workload Identity (AKS) federates K8s SAs to Entra and issues short-lived OIDC tokens — no static secrets in pods. The others are textbook security antipatterns.
Related questions
Which Azure compute service is BEST suited for a long-running, stateful workload that needWhich Azure Functions binding accepts the function's return value and writes it to a destiWhich Functions runtime binding lets a function automatically execute when a new message lAn Azure Function in a VNet-integrated Premium plan needs to reach a privately-deployed AzWhich Azure Container Registry feature reduces image pull latency for a multi-region KuberWhich Azure compute construct lets a containerised microservice integrate with Dapr sidecaAn ASP.NET Core app is deployed on Azure App Service. The team wants a parallel staging enWhich Azure Functions hosting plan ALWAYS keeps function instances warm and offers VNET in