Azure Key Vault with Managed Identities on Kubernetes
How to configure Azure Key Vault and Kubernetes to use Azure Managed Identities to access secrets
Component format
To setup Azure Key Vault secret store with Managed Identies create a component of type secretstores.azure.keyvault
. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
In Kubernetes mode, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.
The component yaml uses the name of your key vault and the Cliend ID of the managed identity to setup the secret store.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: [your_keyvault_name]
- name: spnClientId
value: [your_managed_identity_client_id]
Warning
The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.
Spec metadata fields
Field | Required | Details | Example |
---|---|---|---|
vaultName | Y | The name of the Azure Key Vault | “mykeyvault” |
spnClientId | Y | Your managed identity client Id | “yourId” |
Setup Managed Identity and Azure Key Vault
Prerequisites
Steps
Login to Azure and set the default subscription
# Log in Azure
az login
# Set your subscription to the default subscription
az account set -s [your subscription id]
Create an Azure Key Vault in a region
az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]
Create the managed identity(Optional)
This step is required only if the AKS Cluster is provisoned without the flag “–enable-managed-identity”. If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.
$identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-Json
Below is the command to retrieve the managed identity in the autogenerated scenario:
az aks show -g <AKSResourceGroup> -n <AKSClusterName>
For more detail about the roles to assign to integrate AKS with Azure Services Role Assignment.
Retrieve Managed Identity ID
The two main scenario are:
- Service Principal, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv
- Managed Identity, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv
Assign the Reader role to the managed identity
For AKS cluster, the cluster resource group refers to the resource group with a MC_ prefix, which contains all of the infrastructure resources associated with the cluster like VM/VMSS.
az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
Assign the Managed Identity Operator role to the AKS Service Principal Refer to previous step about the Resource Group to use and which identity to assign
az role assignment create --role "Managed Identity Operator" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
az role assignment create --role "Virtual Machine Contributor" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
Add a policy to the Key Vault so the managed identity can read secrets
az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list
Enable AAD Pod Identity on AKS
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
# For AKS clusters, deploy the MIC and AKS add-on exception by running -
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml
Configure the Azure Identity and AzureIdentityBinding yaml
Save the following yaml as azure-identity-config.yaml:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: [your managed identity name]
spec:
type: 0
resourceID: [your managed identity id]
clientID: [your managed identity Client ID]
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: [your managed identity name]-identity-binding
spec:
azureIdentity: [your managed identity name]
selector: [your managed identity selector]
Deploy the azure-identity-config.yaml:
kubectl apply -f azure-identity-config.yaml
References
- Azure CLI Keyvault CLI
- Create an Azure service principal with Azure CLI
- AAD Pod Identity
- Secrets building block
- How-To: Retrieve a secret
- How-To: Reference secrets in Dapr components
- Secrets API reference
Last modified May 26, 2021: Update to point to 1.2 (#1518) (c690379)