将有关Azure AD Pod Identity for AKS的official documentation与您提到的角色分配进行比较，可能会遗漏分配给群集系统的托管身份的以下角色分配：“虚拟机贡献者”。如果没有正确的角色分配，您的Azure群集将没有正确的权限来分配和取消分配底层虚拟机（VM）或虚拟机规模集（VMSS）的标识。
请确保在创建AKS群集的同一资源组中创建访问Azure SQL数据库的用户分配的托管标识。
此外，请考虑将AzureServicesAuthConnectionString添加到ConfigMap。
Here您可能会找到关于此主题的另一篇有用的文章。

1.在AKS群集中启用工作负载标识（https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster）。
az aks update -g“${RESOURCE_GROUP}”-n myAKSCluster --enable-oidc-issuer --enable-workload-identity
1.创建托管身份
az标识创建--名称“${USER_ASSIGNED_IDENTITY_NAME}”--资源组“${RESOURCE_GROUP}”--位置“${LOCATION}”--订阅“${SUBSCRIPTION}”
1.检索oidc颁发者url：
$oidcIssuer="$（az aks show -n $clusterName -g $resourceGroupName --query“oidcIssuerProfile.issuerUrl”-otsv）”
1.将以下YAML模板中的双下划线变量替换为正确的值。注意：serviceAccountName由您决定，并确保它与将使用它的服务位于同一命名空间中：
apiVersion：v1 kind：ServiceAccount元数据：注解：azure.workload.identity/client-id:clientIDazure.workload.identity/tenant-id：tenantIdlabels：azure.workload.identity/use:“真实”名称：serviceAccountName命名空间：命名空间
1.创建联合凭据。这将您的服务帐户（上面的YAML）与您的托管身份关联起来：
az identity federated-credential create --name“$serviceName-$namespace”--identity-name $identityName --resource-group $rg --issuer $oidcIssuer --subject“system：serviceaccount：${namespace}：${serviceAccountName}”
1.确保您有azure-workload-identity的掌舵图表：
helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts helm repo update helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace azure-workload-identity-system --create-namespace --set azureTenantID=“tenantId”
1.导航到您的托管身份，您应该看到您的联合凭据。接下来，您需要确保YAML具有以下参数：
azure.workload.identity/use:“true”serviceAccountName：serviceAccountName
以上是如何使用工作负载标识将服务与联合凭证相关联。
最后，获取用于向Azure SQL发出请求的令牌的行为类似于使用代码检索默认凭据。与使用系统凭据（使用帐户登录时在计算机上创建的令牌）对Azure SQL进行身份验证相同。已将用户正确添加到数据库。
最终形成了以下的剧本...

#This script creates and assigns workload identities in the AKS cluster. Workload identities need to be enabled, and also the managed identity needs
#to be created. The managed identity created by Teraform will then be "federated" for workload identity assignment to pods.
param(
    [Parameter(Mandatory=$true)]
    [string]
    $clusterName,
    [Parameter(Mandatory=$true)]
    [string]
    $rg,
    [Parameter(Mandatory=$true)]
    [string]
    $serviceName,
    [Parameter(Mandatory=$true)]
    [string]
    $namespace,
    [string]
    $prefix="test-",
    [string]
    $identityName,
    [string]
    $tenantId
)
class CustomException : Exception {
    [string] $additionalData

    CustomException($Message, $additionalData) : base($Message) {
        $this.additionalData = $additionalData
    }
}

$clientID = "$(az identity show --name $identityName --resource-group $rg --query 'clientId' -otsv)"

$serviceAccountName = "$prefix$serviceName-sa"
$yaml = `apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
azure.workload.identity/client-id: __clientID__ 
azure.workload.identity/tenant-id: __tenantId__
  labels:
azure.workload.identity/use: "true"
  name: __serviceAccountName__ 
  namespace: __namespace__ `

#overwrite tokens in the template and write out to a new file
$yaml = $yaml.Replace("__clientID__", $clientID);
$yaml = $yaml.Replace("__serviceAccountName__", $serviceAccountName);
$yaml = $yaml.Replace("__namespace__", $namespace);
$yaml = $yaml.Replace("__tenantId__", $tenantId);
Set-Content -Path .\service-account.yaml -Value $yaml

#create the service account that needs to be bound to the federated identity
kubectl apply -f .\service-account.yaml -n $namespace

#Clear content
Set-Content -Path .\service-account.yaml -Value ""

try {
    $oidcIssuer="$(az aks show -n $clusterName -g $rg --query "oidcIssuerProfile.issuerUrl" -otsv)"
    if($null -eq $oidcIssuer -or "" -eq $oidcIssuer)
    {
        #oidc does not exist in the cluster. It needs to be enabled. Check if cluster addon is enabled. First check az version
        $azVersions = az version | ConvertFrom-Json
        $cliVersion = $azVersions.'azure-cli';
        #cliVersion needs to be >= 2.40.0

        if(([Version] $cliVersion) -lt ([Version] "2.40.0")){
            Write-Host "CLI needs upgraded based on the dependencies here... https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview";
            #az upgrade --yes --all --quiet
            throw [CustomException]::new("Azure CLI $cliVersion needs to be upgraded to >=2.40.0 to leverage Workload Identities and Federated credentials with the azure cli.","") > $PSScriptRoot\error.log
        }
        
        #see if the WorkloadIdentityPreview feature is enabled and registered
        $featureState = az feature show --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview" | ConvertFrom-Json
        if($featureState.properties.state -ne "Registered"){
            #try to enable and register the 'EnableWorkloadIdentityPreview' feature flag
            Write-Host "Feature flag EnableWorkloadIdentityPreview is not registered... attempting to register..."
            az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview";
            #We have to wait a minute or two for the features to register before we can continue.
            Start-Sleep -Seconds 600;
            az provider register --namespace Microsoft.ContainerService
            #Verify feature is in a registered state
            $featureState = az feature show --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview" | ConvertFrom-Json
            if($featureState.properties.state -ne "Registered"){
                throw [CustomException]::new("Feature EnableWorkloadIdentityPreview did not finish registering after 120 seconds, please wait and try again. If this fails a second time the verify that Microsoft.ContainerService is enabled in the subscription under 'Features'.","") > $PSScriptRoot\error.log
            }
            else{
                Write-Host "Feature was successfully registered... continuing..."
            }
        }
        #update the cluster to use OIDC and workload identities
        az aks update -g $rg -n $clusterName --enable-oidc-issuer --enable-workload-identity
        #now finally get the OIDC URL
        $oidcIssuer="$(az aks show -n $clusterName -g $rg --query "oidcIssuerProfile.issuerUrl" -otsv)"
        if($null -eq $oidcIssuer -or "" -eq $oidcIssuer){
            throw [CustomException]::new("Still cannot retrieve OIDC URLs. Please wait an hour and try again. Cluster might still be updating.",""); > $PSScriptRoot\error.log
        }
    }

    az identity federated-credential create --name "$serviceName-$namespace" --identity-name $identityName --resource-group $rg --issuer $oidcIssuer --subject "system:serviceaccount:${namespace}:${serviceAccountName}"
}
catch {
    throw [CustomException]::new("Federation setup failed.","") > $PSScriptRoot\error.log
}
#$oidcIssuer="$(az aks show -n $clusterName -g $rg --query "oidcIssuerProfile.issuerUrl" -otsv)"

try{
    #see if all helm charts exist for workload identity
    $charts = helm repo list -o json | ConvertFrom-Json
    $url = $charts | Where-Object {$_.Name -eq "azure-workload-identity"} | Select-Object -ExpandProperty url
    if($null -eq $url -or "" -eq $url){
        write-host "azure-workload-identity is missing from the helm charts... attempting to add it."
        helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts
        helm repo update
        helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace azure-workload-identity-system --create-namespace --set azureTenantID="$tenantId"
        Write-Host "Helm charts 'workload-identity-webhook' and 'azure-workload-identity/workload-identity-webhook' successfully added!"
    }
}
catch {
    throw [CustomException]::new("Helm setup failed.","") > $PSScriptRoot\error.log
}

字符串