IABTechLab · cYKatherine · Feb 26, 2026 · Feb 17, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml
@@ -94,6 +94,9 @@ env:
   E2E_EUID_PROD_AWS_ARGS_JSON: ${{ secrets.E2E_EUID_PROD_AWS_ARGS_JSON }}
   E2E_EUID_PROD_AWS_OPERATOR_API_KEY: ${{ secrets.E2E_EUID_PROD_AWS_OPERATOR_API_KEY }}
 
+  E2E_UID2_INTEG_AKS_OPERATOR_KEY: ${{ secrets.E2E_UID2_INTEG_AKS_OPERATOR_KEY }}
+  E2E_UID2_PROD_AKS_OPERATOR_KEY: ${{ secrets.E2E_UID2_PROD_AKS_OPERATOR_KEY }}
+
 jobs:
   e2e-test:
     name: E2E Test
@@ -201,6 +204,37 @@ jobs:
           target_environment: ${{ inputs.target_environment }}
           aws_pcr0: ${{ inputs.aws_pcr0 }}
 
+      - name: Start AKS cluster
+        id: start_aks_cluster
+        if: ${{ inputs.operator_type == 'aks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@v3
+        with:
+          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          run_id: ${{ github.run_id }}
+
+      - name: Get AKS operator key
+        id: get_aks_operator_key
+        if: ${{ inputs.operator_type == 'aks' }}
+        shell: bash
+        env:
+          IDENTITY_SCOPE: ${{ inputs.identity_scope }}
+          TARGET_ENVIRONMENT: ${{ inputs.target_environment }}
+          ENCLAVE_PROTOCOL: azure-cc
+        run: |
+          bash uid2-shared-actions/scripts/get_operator_key.sh
+
+      - name: Prepare AKS metadata
+        id: prepare_aks_metadata
+        if: ${{ inputs.operator_type == 'aks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@v3
+        with:
+          operator_image_version: ${{ inputs.operator_image_version }}
+          target_environment: ${{ inputs.target_environment }}
+          bore_url_core: ${{ steps.bore.outputs.bore_url_core }}
+          bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }}
+          operator_key: ${{ steps.get_aks_operator_key.outputs.OPERATOR_KEY }}
+          run_id: ${{ github.run_id }}
+
       - name: Bring up Docker Compose
         id: docker-compose
         if: ${{ inputs.target_environment == 'mock' }}
@@ -255,6 +289,15 @@ jobs:
           target_environment: ${{ inputs.target_environment }}
           operator_key: ${{ steps.prepare_aws_metadata.outputs.operator_key }}
 
+      - name: Start AKS private operator
+        id: start_aks_private_operator
+        if: ${{ inputs.operator_type == 'aks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@v3
+        with:
+          template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }}
+          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          run_id: ${{ github.run_id }}
+
       - name: Decide E2E test environment variables
         id: decide_env_var
         shell: bash
@@ -315,6 +358,8 @@ jobs:
 
       - name: Stop AKS operator
         if: ${{ always() && !inputs.delay_operator_shutdown && inputs.operator_type == 'aks' }}
+        env:
+          RUN_ID: ${{ github.run_id }}
         run: |
             bash uid2-shared-actions/scripts/aks/stop_aks_enclave.sh
 
@@ -358,3 +403,10 @@ jobs:
         with:
           aws_stack_name: ${{ needs.e2e-test.outputs.aws_stack_name }}
           aws_region: ${{ inputs.aws_region }}
+
+      - name: Stop AKS private operator
+        if: ${{ inputs.operator_type == 'aks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@v3
+        with:
+          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          run_id: ${{ github.run_id }}
diff --git a/actions/prepare_aks_metadata/action.yaml b/actions/prepare_aks_metadata/action.yaml
@@ -14,6 +14,12 @@ inputs:
   bore_url_optout:
     description: The bore URL for optout service
     required: true
+  operator_key:
+    description: The operator key secret for the target environment
+    required: true
+  run_id:
+    description: Unique run identifier to avoid Azure resource conflicts
+    required: true
 outputs:
   template_file:
     description: The template file
@@ -36,6 +42,8 @@ runs:
         BORE_URL_OPTOUT: ${{ inputs.bore_url_optout }}
         IMAGE_VERSION: ${{ inputs.operator_image_version }}
         TARGET_ENVIRONMENT: ${{ inputs.target_environment }}
+        OPERATOR_KEY: ${{ inputs.operator_key }}
+        RUN_ID: ${{ inputs.run_id }}
       run: |
         bash uid2-shared-actions/scripts/aks/prepare_aks_artifacts.sh
 

diff --git a/actions/prepare_aws_metadata/action.yaml b/actions/prepare_aws_metadata/action.yaml
@@ -39,4 +39,4 @@ runs:
           TARGET_ENVIRONMENT: ${{ inputs.target_environment }}
           ENCLAVE_PROTOCOL: aws-nitro
       run: |
-        bash ./uid2-shared-actions/scripts/get_operator_key.sh
+        bash uid2-shared-actions/scripts/get_operator_key.sh
diff --git a/actions/prepare_gcp_metadata/action.yaml b/actions/prepare_gcp_metadata/action.yaml
@@ -89,4 +89,4 @@ runs:
           TARGET_ENVIRONMENT: ${{ inputs.target_environment }}
           ENCLAVE_PROTOCOL: gcp-oidc
       run: |
-        bash ./uid2-shared-actions/scripts/get_operator_key.sh
+        bash uid2-shared-actions/scripts/get_operator_key.sh
diff --git a/actions/start_aks_cluster/action.yaml b/actions/start_aks_cluster/action.yaml
@@ -0,0 +1,28 @@
+name: Start AKS Cluster
+description: Creates the AKS cluster and infrastructure
+
+inputs:
+  azure_credentials:
+    description: The Azure credentials
+    required: true
+  run_id:
+    description: Unique run identifier for resource naming
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Log in to Azure
+      uses: azure/login@v2
+      with:
+        creds: ${{ inputs.azure_credentials }}
+        enable-AzPSSession: true
+
+    - name: Start AKS cluster
+      id: start_aks
+      shell: bash
+      env:
+        RUN_ID: ${{ inputs.run_id }}
+      run: |
+        bash uid2-shared-actions/scripts/aks/start_aks_cluster.sh
diff --git a/actions/start_aks_private_operator/action.yaml b/actions/start_aks_private_operator/action.yaml
@@ -8,6 +8,9 @@ inputs:
   azure_credentials:
     description: The Azure credentials
     required: true
+  run_id:
+    description: Unique run identifier for resource naming
+    required: true
 
 outputs:
   uid2_pipeline_e2e_operator_url:
@@ -29,5 +32,6 @@ runs:
       shell: bash
       env:
         TEMPLATE_FILE: ${{ inputs.template_file }}
+        RUN_ID: ${{ inputs.run_id }}
       run: |
         bash uid2-shared-actions/scripts/aks/start_aks_enclave.sh
diff --git a/actions/stop_aks_private_operator/action.yaml b/actions/stop_aks_private_operator/action.yaml
@@ -5,6 +5,9 @@ inputs:
   azure_credentials:
     description: The Azure credentials
     required: true
+  run_id:
+    description: Unique run identifier for resource naming
+    required: true
 
 runs:
   using: "composite"
@@ -18,5 +21,7 @@ runs:
 
     - name: Stop AKS private operator
       shell: bash
+      env:
+        RUN_ID: ${{ inputs.run_id }}
       run: |
         bash uid2-shared-actions/scripts/aks/stop_aks_enclave.sh
diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Common AKS environment variables used by multiple scripts
+
+# Set the correct subscription for AKS E2E tests
+az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3"
+
+# RUN_ID should be set by the caller (e.g., github.run_id)
+# Use short suffix to stay within Azure naming limits (e.g., Key Vault max 24 chars)
+if [ -z "${RUN_ID}" ]; then
+  echo "Warning: RUN_ID not set, using default names (may cause conflicts)"
+  RUN_SUFFIX=""
+else
+  # Use last 8 digits of RUN_ID to keep names short
+  RUN_SUFFIX="-${RUN_ID: -8}"
+fi
+
+export RESOURCE_GROUP="opr-e2e-aks${RUN_SUFFIX}"
+export LOCATION="westus"
+export VNET_NAME="opr-e2e-vnet${RUN_SUFFIX}"
+export PUBLIC_IP_ADDRESS_NAME="opr-e2e-ip${RUN_SUFFIX}"
+export NAT_GATEWAY_NAME="opr-e2e-nat${RUN_SUFFIX}"
+export AKS_CLUSTER_NAME="opr-e2e-cluster${RUN_SUFFIX}"
+export KEYVAULT_NAME="opre2evault${RUN_SUFFIX}"
+export KEYVAULT_SECRET_NAME="opr-key${RUN_SUFFIX}"
+export MANAGED_IDENTITY="opr-e2e-id${RUN_SUFFIX}"
+export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}"
+export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
+export DEPLOYMENT_ENV="integ"
diff --git a/scripts/aks/prepare_aks_artifacts.sh b/scripts/aks/prepare_aks_artifacts.sh
@@ -21,31 +21,58 @@ if [ -z "${TARGET_ENVIRONMENT}" ]; then
   exit 1
 fi
 
-# Below resources should be prepared ahead of running the E2E test.
+if [ -z "${OPERATOR_KEY}" ]; then
+  echo "OPERATOR_KEY can not be empty"
+  exit 1
+fi
+
+if [ -z "${RUN_ID}" ]; then
+  echo "RUN_ID can not be empty"
+  exit 1
+fi
+
 # See https://github.com/UnifiedID2/aks-demo/tree/master/vn-aks#setup-aks--node-pool
-export RESOURCE_GROUP="pipeline-vn-aks"
-export LOCATION="eastus"
-export VNET_NAME="pipeline-vnet"
-export PUBLIC_IP_ADDRESS_NAME="pipeline-public-ip"
-export NAT_GATEWAY_NAME="pipeline-nat-gateway"
-export AKS_CLUSTER_NAME="pipelinevncluster"
-export KEYVAULT_NAME="pipeline-vn-aks-vault"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/aks_env.sh"
+
 if [ ${TARGET_ENVIRONMENT} == "mock" ]; then
-  export KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name"
+  export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name"
 elif [ ${TARGET_ENVIRONMENT} == "integ" ]; then
-  KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name-integ"
+  export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name-integ"
 elif [ ${TARGET_ENVIRONMENT} == "prod" ]; then
-  KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name-prod"
+  export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name-prod"
 else
   echo "Arguments not supported: TARGET_ENVIRONMENT=${TARGET_ENVIRONMENT}"
   exit 1
 fi
 
-export MANAGED_IDENTITY="pipeline-vn-aks-opr-id"
-export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}"
-export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
-export DEPLOYMENT_ENV="integ"
-export MANAGED_IDENTITY_ID="/subscriptions/001a3882-eb1c-42ac-9edc-5e2872a07783/resourcegroups/pipeline-vn-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pipeline-vn-aks-opr-id"
+# --- Create Key Vault & Managed Identity ---
+# Login to AKS cluster
+az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP}
+# Create managed identity
+az identity create --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}"
+# Create key vault with purge protection and RBAC authorization
+# Check if vault exists in deleted state and recover it, otherwise create new
+if az keyvault show-deleted --name "${KEYVAULT_NAME}" &>/dev/null; then
+  echo "Key vault '${KEYVAULT_NAME}' exists in deleted state, recovering..."
+  az keyvault recover --name "${KEYVAULT_NAME}"
+elif az keyvault show --name "${KEYVAULT_NAME}" &>/dev/null; then
+  echo "Key vault '${KEYVAULT_NAME}' already exists."
+else
+  echo "Creating key vault '${KEYVAULT_NAME}'..."
+  az keyvault create --name "${KEYVAULT_NAME}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --enable-purge-protection --enable-rbac-authorization
+fi
+# Get keyvault resource ID
+export KEYVAULT_RESOURCE_ID="$(az keyvault show --resource-group "${RESOURCE_GROUP}" --name "${KEYVAULT_NAME}" --query id --output tsv)"
+# Set keyvault secret
+az keyvault secret set --vault-name "${KEYVAULT_NAME}" --name "${KEYVAULT_SECRET_NAME}" --value "${OPERATOR_KEY}"
+# Get identity principal ID
+export IDENTITY_PRINCIPAL_ID="$(az identity show --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --query principalId --output tsv)"
+# Create role assignment for Key Vault Secrets User
+az role assignment create --assignee-object-id "${IDENTITY_PRINCIPAL_ID}" --role "Key Vault Secrets User" --scope "${KEYVAULT_RESOURCE_ID}" --assignee-principal-type ServicePrincipal
+
+# Get managed identity ID
+export MANAGED_IDENTITY_ID="$(az identity show --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --query id --output tsv)"
 
 OPERATOR_ROOT="./uid2-operator"
 SHARED_ACTIONS_ROOT="./uid2-shared-actions"
@@ -87,11 +114,12 @@ else
   sed -i "s#VAULT_NAME_PLACEHOLDER#${KEYVAULT_NAME}#g" "${OUTPUT_TEMPLATE_FILE}"
   sed -i "s#OPERATOR_KEY_SECRET_NAME_PLACEHOLDER#${KEYVAULT_SECRET_NAME}#g" "${OUTPUT_TEMPLATE_FILE}"
   sed -i "s#DEPLOYMENT_ENVIRONMENT_PLACEHOLDER#integ#g" "${OUTPUT_TEMPLATE_FILE}"
+  # Make deployment name unique per run to avoid Azure resource conflicts
+  sed -i "s#operator-deployment#operator-deployment-${RUN_ID}#g" "${OUTPUT_TEMPLATE_FILE}"
   cat ${OUTPUT_TEMPLATE_FILE}
 
-  if [ ${TARGET_ENVIRONMENT} == "mock" ]; then
-    python3 ${SHARED_ACTIONS_ROOT}/scripts/aks/add_env.py ${OUTPUT_TEMPLATE_FILE} uid2-operator CORE_BASE_URL ${BORE_URL_CORE} OPTOUT_BASE_URL ${BORE_URL_OPTOUT} SKIP_VALIDATIONS true
-  fi
+  # Add bore URLs for connecting to mock core/optout services (used in all E2E test environments)
+  python3 ${SHARED_ACTIONS_ROOT}/scripts/aks/add_env.py ${OUTPUT_TEMPLATE_FILE} uid2-operator CORE_BASE_URL ${BORE_URL_CORE} OPTOUT_BASE_URL ${BORE_URL_OPTOUT} SKIP_VALIDATIONS true
 
   cat ${OUTPUT_TEMPLATE_FILE}
   # --- Finished updating yaml file with resources ---