Add an AKS Cluster

Last modified on July 30, 2025

This guide describes how to manage access to an Azure Kubernetes Service (AKS) cluster via the StrongDM Admin UI. This process involves creating and configuring a new cluster in the Admin UI and checking the connection to your Azure-managed API server.

Prerequisites

Ensure that the API server you intend to add to StrongDM is accessible from your StrongDM gateways or relays. See our guide on Gateways for more information.

Add Your AKS Cluster in the StrongDM Admin UI

  1. Log in to the Admin UI and go to Infrastructure > Clusters.
  2. Click the Add cluster button.
  3. Select AKS as the Server Type and set other resource properties to configure how the StrongDM relay connects.
  4. Click Create to save the resource.

The Admin UI updates and shows your new cluster in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

Resource properties

Configuration properties are visible when you add a Cluster Type or when you click to view the cluster’s settings. The following table describes the settings available for your AKS cluster.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cluster TypeRequiredSelect AKS
Proxy ClusterRequiredDefaults to “None (use gateways)”; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
HostnameRequiredHostname or IP address of the API server, such as api.aks.example.com; relay server should be able to connect to your target server or hostname
PortRequiredPort to connect to the API server; default port value 443
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode is enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource’s human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
Server CAOptionalPasted server certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Client CertificateOptionalPasted client certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the client certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Client KeyOptionalPasted client key (plaintext or Base64-encoded) or imported PEM file; you can either generate the client key on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Healthcheck NamespaceOptionalIf enabled for your organization, the namespace used for the resource healthcheck; defaults to default if empty; supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe namespace
Enable Resource DiscoveryOptionalEnables automatic discovery within this cluster
AuthenticationRequiredAuthentication method to access the cluster; select either Leased Credential (default) or Identity Aliases (to use the Identity Aliases of StrongDM users to access the cluster)
Identity SetRequiredDisplays if Authentication is set to Identity Aliases; select an Identity Set name from the list
Healthcheck UsernameRequiredIf Authentication is set to Identity Aliases, the username that should be used to verify StrongDM’s connection to it; username must already exist on the target cluster
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Display name

Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a Display Name without spaces.

Client credentials

When your users connect to this cluster via StrongDM, they have exactly the same rights as the user associated with these keys. Make sure to consider this prior to setup.

Server CA

How to get the Server CA from your kubeconfig file:

  1. Open the CLI and type cat ~/.kube/config to view the contents of the file.
  2. In the file, under - cluster, copy the certificate-authority-data value. That is the server certificate in Base64 encoding.
  - cluster:
    certificate-authority-data: ... SERVER CERT BASE64 ...

Client certificate

How to get the Client Certificate from your kubeconfig file:

  1. From the CLI, type cat ~/.kube/config to view the contents of the file.
  2. In the file, under - name, copy the client-certificate-data value. That is the client certificate in Base64 encoding.
  - name: clusterUser_StrongDM_example
    user:
    client-certificate-data: ... CLIENT CERT BASE64...

Client key

How to get the Client Key from your kubeconfig file:

  1. Open the CLI and type cat ~/.kube/config to view the file.
  2. In the file, under - name, copy the client-key-data value. That is the client private key in Base64 encoding.
  - name: clusterUser_StrongDM_example
    user:
    client-key-data: ... CLIENT PRIVATE KEY BASE64...

Secret Store

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Top