This section only applies if you have an existing Azure AD client registered in the IaC repository.
- Declarative provisioning, straight from your application's
- No longer dependent on manual user approvals in multiple IaC repositories
- No longer dependent on Vault
- Credentials are rotated regularly, completely transparent to the application. This ensures that credentials are fresh and lessens the impact in the case of exposure.
- The exact same feature is present in the GCP clusters, which simplifies migration.
Communication between legacy clients provisioned through aad-iac and clients provisioned through NAIS requires some additional configuration.
Allowing a NAIS client to access an aad-iac client¶
- You have a legacy client registered in the
- You would like to pre-authorize client provisioned through NAIS.
- Refer to the NAIS client in aad-iac using its fully qualified name (see naming format):
Allowing an aad-iac client to access a NAIS client¶
- You have a client provisioned through NAIS.
- You would like to pre-authorize a legacy client registered in the
- The legacy client must follow the expected naming format. Follow step 1 and step 2 in the migration guide.
- Refer to the legacy client analogously to a NAIS application
- See this example in aad-iac
- Pre-authorizing the legacy client in nais.yaml:
spec: accessPolicy: inbound: rules: - application: dkif namespace: team-rocket cluster: dev-fss
Migration guide - step by step¶
The following describes the steps needed to migrate an existing legacy client where you wish to keep the existing client ID and configuration.
If keeping the existing client ID and configuration is not important, it should be much easier to just provision new clients instead.
Step 1 - Rename your application in the Azure Portal
- Go to the
Brandingtab for your client in the Azure Portal.
- Update the
Step 2 - Update your application (and any dependants) in the IaC repository
- Ensure the
nameof the client registered in the IaC repository is updated to match the name set in step 1.
- Ensure that any clients that has a reference to the previous name in their
preauthorizedapplicationsis also updated.
Step 3 - Deploy your NAIS application with Azure AD provisioning enabled
- See getting started.
Step 4 - Delete your application from the IaC repository
- Verify that everything works after the migration
- Delete the application from the IaC repository in order to maintain a single source of truth