Azure Key Vault with Managed Identities on Kubernetes

How to configure Azure Key Vault and Kubernetes to use Azure Managed Identities to access secrets

Prerequisites

Setup Managed Identity and Azure Key Vault

  1. Login to Azure and set the default subscription

    1. # Log in Azure
    2. az login
    3. # Set your subscription to the default subscription
    4. az account set -s [your subscription id]
  2. Create an Azure Key Vault in a region

    1. az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]
  3. Create the managed identity(Optional)

    This step is required only if the AKS Cluster is provisoned without the flag “–enable-managed-identity”. If the cluster is provisioned with manahed identity, than is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.

    1. $identity = az identity create -g [your resource group] -n [you managed identity name] -o json | ConvertFrom-Json

    Below the command to retrieve the managed identity in the autogenerated scenario:

    1. az aks show -g <AKSResourceGroup> -n <AKSClusterName>

    For more detail about the roles to assign to integrate AKS with Azure Services Role Assignment.

  4. Retrieve Managed Identity ID

    The two main scenario are:

    • Service Principal, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
    1. $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv
    • Managed Identity, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
    1. $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv
  5. Assign the Reader role to the managed identity

    For AKS cluster, the cluster resource group refers to the resource group with a MC_ prefix, which contains all of the infrastructure resources associated with the cluster like VM/VMSS.

    1. az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
  6. Assign the Managed Identity Operator role to the AKS Service Principal Refer to previous step about the Resource Group to use and which identity to assign

    1. az role assignment create --role "Managed Identity Operator" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    2. az role assignment create --role "Virtual Machine Contributor" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
  7. Add a policy to the Key Vault so the managed identity can read secrets

    1. az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list
  8. Enable AAD Pod Identity on AKS

    1. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
    2. # For AKS clusters, deploy the MIC and AKS add-on exception by running -
    3. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml
  9. Configure the Azure Identity and AzureIdentityBinding yaml

    Save the following yaml as azure-identity-config.yaml:

    1. apiVersion: "aadpodidentity.k8s.io/v1"
    2. kind: AzureIdentity
    3. metadata:
    4. name: [you managed identity name]
    5. spec:
    6. type: 0
    7. resourceID: [you managed identity id]
    8. clientID: [you managed identity Client ID]
    9. ---
    10. apiVersion: "aadpodidentity.k8s.io/v1"
    11. kind: AzureIdentityBinding
    12. metadata:
    13. name: [you managed identity name]-identity-binding
    14. spec:
    15. azureIdentity: [you managed identity name]
    16. selector: [you managed identity selector]
  10. Deploy the azure-identity-config.yaml:

    1. kubectl apply -f azure-identity-config.yaml

Configure Dapr component

In Kubernetes mode, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.

  1. Create azurekeyvault.yaml component file

    The component yaml uses the name of your key vault and the Cliend ID of the managed identity to setup the secret store.

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Component
    3. metadata:
    4. name: azurekeyvault
    5. namespace: default
    6. spec:
    7. type: secretstores.azure.keyvault
    8. version: v1
    9. metadata:
    10. - name: vaultName
    11. value: [your_keyvault_name]
    12. - name: spnClientId
    13. value: [your_managed_identity_client_id]
  2. Apply azurekeyvault.yaml component

    1. kubectl apply -f azurekeyvault.yaml

References

Last modified February 16, 2021: Merge pull request #1235 from dapr/update-v0.11 (b4e9fbb)