How can I use azure workload identity with different resource groups for snapshotter and storage

[papanito]

We want to use Azure Managed Identity for creating velero backups: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md#option-3-use-azure-ad-workload-identity

Currently our setup is that we have 2 different resource groups - 1 for the storage account and 1 for aks (disk snaphost). Looking trough the documentation, this seems not a supported setup for Azure Managed Identity!?

The main problem I see, is that we only can specify one resource group in ./credentials-velero

Is that correct or is there a ways where we can use Azure Managed Identity for our use case

[blackpiglet]

@anshulahuja98
Could you please take a look?

[papanito]

I found a way. The docu is a bit misleading. Will post more details on Monday

[anshulahuja98]

Will wait for @papanito to get back before I investigate this further.
Any update to docs will be appreciated @papanito!

[papanito]

It's actually all there in the docu, but I quickly summarize it. So if you are installing velero with helm you need to define the following in the values.yaml

1. define the service account in

   serviceAccount:
    server:
      create: true
      name: velero-server
      annotations:
        azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

2. Set podLables to use azure identity

   podLabels:
     azure.workload.identity/use: "true"

3. Define backupstorage and ensure you set configuration.backupStorageLocation[0].config.useAAD

   configuration:
     backupStorageLocation:
       - name: "backup-velero" # Name for the velero backup location object, where backups should be stored.
         provider: azure
         bucket: "velero-backup" # The bucket/blob container in which to store backups.
         default: true
         validationFrequency:
         accessMode: ReadWrite
         config:
           resourceGroup: "rg-velero"       # Name of the resource group containing the storage account for this backup storage location.
           subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # ID of the subscription for this backup storage location
           storageAccount: "velero"                   # Name of the storage account for this backup storage location
           useAAD: "true"

4. Define volumeSnapshotLocation
5. Define cloud credentials

   credentials:
     useSecret: true
     name: azure
     secretContents:
       cloud: |
         AZURE_TENANT_ID={{ .AZURE_TENANT_ID }}
         AZURE_CLIENT_ID={{ .AZURE_CLIENT_ID }}
         AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
         AZURE_RESOURCE_GROUP=rg-aks-pool
         AZURE_CLOUD_NAME=AzurePublicCloud