Azure Key Vault secret store
Detailed information on the Azure Key Vault secret store component
Component format
To setup Azure Key Vault secret store create a component of type secretstores.azure.keyvault
. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
See also configure the component guide in this page.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName # Required
value: [your_keyvault_name]
- name: azureEnvironment # Optional, defaults to AZUREPUBLICCLOUD
value: "AZUREPUBLICCLOUD"
# See authentication section below for all options
- name: azureTenantId
value: "[your_service_principal_tenant_id]"
- name: azureClientId
value: "[your_service_principal_app_id]"
- name: azureCertificateFile
value : "[pfx_certificate_file_fully_qualified_local_path]"
Authenticating with Azure AD
The Azure Key Vault secret store component supports authentication with Azure AD only. Before you enable this component, make sure you’ve read the Authenticating to Azure document and created an Azure AD application (also called Service Principal). Alternatively, make sure you have created a managed identity for your application platform.
Spec metadata fields
Field | Required | Details | Example |
---|---|---|---|
vaultName | Y | The name of the Azure Key Vault | “mykeyvault” |
azureEnvironment | N | Optional name for the Azure environment if using a different Azure cloud | “AZUREPUBLICCLOUD” (default value), “AZURECHINACLOUD” , “AZUREUSGOVERNMENTCLOUD” , “AZUREGERMANCLOUD” |
Auth metadata | See Authenticating to Azure for more information |
Additionally, you must provide the authentication fields as explained in the Authenticating to Azure document.
Example: Create an Azure Key Vault and authorize a Service Principal
Prerequisites
- Azure Subscription
- Azure CLI
- jq
- The scripts below are optimized for a bash or zsh shell
Make sure you have followed the steps in the Authenticating to Azure document to create an Azure AD application (also called Service Principal). You will need the following values:
SERVICE_PRINCIPAL_ID
: the ID of the Service Principal that you created for a given application
Steps
- Set a variable with the Service Principal that you created:
SERVICE_PRINCIPAL_ID="[your_service_principal_object_id]"
- Set a variable with the location where to create all resources:
LOCATION="[your_location]"
(You can get the full list of options with: az account list-locations --output tsv
)
- Create a Resource Group, giving it any name you’d like:
RG_NAME="[resource_group_name]"
RG_ID=$(az group create \
--name "${RG_NAME}" \
--location "${LOCATION}" \
| jq -r .id)
- Create an Azure Key Vault (that uses Azure RBAC for authorization):
KEYVAULT_NAME="[key_vault_name]"
az keyvault create \
--name "${KEYVAULT_NAME}" \
--enable-rbac-authorization true \
--resource-group "${RG_NAME}" \
--location "${LOCATION}"
- Using RBAC, assign a role to the Azure AD application so it can access the Key Vault.
In this case, assign the “Key Vault Secrets User” role, which has the “Get secrets” permission over Azure Key Vault.
az role assignment create \
--assignee "${SERVICE_PRINCIPAL_ID}" \
--role "Key Vault Secrets User" \
--scope "${RG_ID}/providers/Microsoft.KeyVault/vaults/${KEYVAULT_NAME}"
Other less restrictive roles like “Key Vault Secrets Officer” and “Key Vault Administrator” can be used as well, depending on your application. For more information about Azure built-in roles for Key Vault see the Microsoft docs.
Configure the component
To use a client secret, create a file called azurekeyvault.yaml
in the components directory, filling in with the Azure AD application that you created following the Authenticating to Azure document:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId
value: "[your_client_id]"
- name: azureClientSecret
value : "[your_client_secret]"
If you want to use a certificate saved on the local disk, instead, use this template, filling in with details of the Azure AD application that you created following the Authenticating to Azure document:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId
value: "[your_client_id]"
- name: azureCertificateFile
value : "[pfx_certificate_file_fully_qualified_local_path]"
In Kubernetes, you store the client secret or the certificate into the Kubernetes Secret Store and then refer to those in the YAML file. You will need the details of the Azure AD application that was created following the Authenticating to Azure document.
To use a client secret:
Create a Kubernetes secret using the following command:
kubectl create secret generic [your_k8s_secret_name] --from-literal=[your_k8s_secret_key]=[your_client_secret]
[your_client_secret]
is the application’s client secret as generated above[your_k8s_secret_name]
is secret name in the Kubernetes secret store[your_k8s_secret_key]
is secret key in the Kubernetes secret store
Create an
azurekeyvault.yaml
component file.The component yaml refers to the Kubernetes secretstore using
auth
property andsecretKeyRef
refers to the client secret stored in the Kubernetes secret store.apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId
value: "[your_client_id]"
- name: azureClientSecret
secretKeyRef:
name: "[your_k8s_secret_name]"
key: "[your_k8s_secret_key]"
auth:
secretStore: kubernetes
Apply the
azurekeyvault.yaml
component:kubectl apply -f azurekeyvault.yaml
To use a certificate:
Create a Kubernetes secret using the following command:
kubectl create secret generic [your_k8s_secret_name] --from-file=[your_k8s_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
[pfx_certificate_file_fully_qualified_local_path]
is the path of PFX file you obtained earlier[your_k8s_secret_name]
is secret name in the Kubernetes secret store[your_k8s_secret_key]
is secret key in the Kubernetes secret store
Create an
azurekeyvault.yaml
component file.The component yaml refers to the Kubernetes secretstore using
auth
property andsecretKeyRef
refers to the certificate stored in the Kubernetes secret store.apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId
value: "[your_client_id]"
- name: azureCertificate
secretKeyRef:
name: "[your_k8s_secret_name]"
key: "[your_k8s_secret_key]"
auth:
secretStore: kubernetes
Apply the
azurekeyvault.yaml
component:kubectl apply -f azurekeyvault.yaml
To use Azure managed identity:
Ensure your AKS cluster has managed identity enabled and follow the guide for using managed identities.
Create an
azurekeyvault.yaml
component file.The component yaml refers to a particular KeyVault name. The managed identity you will use in a later step must be given read access to this particular KeyVault instance.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
Apply the
azurekeyvault.yaml
component:kubectl apply -f azurekeyvault.yaml
Create and use a managed identity / pod identity by following this guide. After creating an AKS pod identity, give this identity read permissions on your desired KeyVault instance, and finally in your application deployment inject the pod identity via a label annotation:
apiVersion: v1
kind: Pod
metadata:
name: mydaprdemoapp
labels:
aadpodidbinding: $POD_IDENTITY_NAME
References
- Authenticating to Azure
- Azure CLI: keyvault commands
- Secrets building block
- How-To: Retrieve a secret
- How-To: Reference secrets in Dapr components
- Secrets API reference
Last modified June 23, 2022: Merge pull request #2550 from ItalyPaleAle/cosmosdb-harcoded-dapr-version (cf03237)