docs: add note about many:1 and 1:many in quick start

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · Apr 25, 2023 · 0e70435 · 0e70435
1 parent de6a278
commit 0e70435
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/docs/book/src/faq.md b/docs/book/src/faq.md
@@ -21,6 +21,10 @@ federated identity credentials that reference the same service account in your K
 
 For example, if you are using the [`DefaultAzureCredential`](https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) from the Azure Identity Python SDK to authenticate your application, you can specify which identity to use by adding the `managed_identity_client_id` parameter to the `DefaultAzureCredential` constructor.
 
+## How to federate multiple Kubernetes service accounts with a single identity?
+
+It is possible to have a many-to-one relationship between a single identity and multiple Kubernetes service accounts, i.e. you can create a federated identity credential for every <service account namespace, service account name, OIDC issuer> tuple that you want to federate with the same identity.
+
 ## Is there a propagation delay after creating a federated identity credential?
 
 It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it **might** lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

diff --git a/docs/book/src/quick-start.md b/docs/book/src/quick-start.md
@@ -4,6 +4,14 @@
 
 In this tutorial, we will cover the basics of how to use the webhook to acquire an Azure AD token to access a secret in an [Azure Key Vault][1].
 
+{{% alert title="Note" color="primary" %}}
+
+While this tutorial shows a 1:1 mapping between a Kubernetes service account and an Azure AD identity, it is possible to map:
+1. Multiple Kubernetes service accounts to a single Azure AD identity. Refer to [FAQ][15] for more details.
+2. Multiple Azure AD identities to a single Kubernetes service account. Refer to [FAQ][16] for more details.
+
+{{% /alert %}}
+
 Before we get started, ensure the following:
 
 * Azure CLI version 2.40.0 or higher. Run `az --version` to verify.
@@ -442,3 +450,7 @@ az ad sp delete --id "${APPLICATION_CLIENT_ID}"
 [13]: ./installation.md
 
 [14]: ./known-issues.md#user-tried-to-log-in-to-a-device-from-a-platform-unknown-thats-currently-not-supported-through-conditional-access-policy
+
+[15]: ./faq.md#how-to-federate-multiple-kubernetes-service-accounts-with-a-single-identity
+
+[16]: ./faq.md#how-to-federate-multiple-identities-with-a-kubernetes-service-account