Azure Key Vault with Managed Identities on Kubernetes

To setup Azure Key Vault secret store with Managed Identies create a component of type . See on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

In Kubernetes mode, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.

The component yaml uses the name of your key vault and the Client ID of the managed identity to setup the secret store.

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a to bootstrap secure key storage.

Steps

  1. Login to Azure and set the default subscription

    1. # Log in Azure
    2. az login
    4. # Set your subscription to the default subscription
    5. az account set -s [your subscription id]

  2. Create an Azure Key Vault in a region

    1. az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]

  3. This step is required only if the AKS Cluster is provisoned without the flag “–enable-managed-identity”. If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.

    1. $identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-Json

    Below is the command to retrieve the managed identity in the autogenerated scenario:

    For more detail about the roles to assign to integrate AKS with Azure Services .

  4. Assign the Reader role to the managed identity

  5. Assign the Managed Identity Operator role to the AKS Service Principal Refer to previous step about the Resource Group to use and which identity to assign

  6. Add a policy to the Key Vault so the managed identity can read secrets

    1. az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list

  7. Enable AAD Pod Identity on AKS

    1. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
    3. # For AKS clusters, deploy the MIC and AKS add-on exception by running -
    4. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml

  8. Configure the Azure Identity and AzureIdentityBinding yaml

    Save the following yaml as azure-identity-config.yaml:

    1. apiVersion: "aadpodidentity.k8s.io/v1"
    2. kind: AzureIdentity
    3. metadata:
    4.   name: [your managed identity name]
    5.   type: 0
    7.   clientID: [your managed identity Client ID]
    8. ---
    9. apiVersion: "aadpodidentity.k8s.io/v1"
    10. kind: AzureIdentityBinding
    11. metadata:
    12.   name: [your managed identity name]-identity-binding
    13. spec:
    14.   azureIdentity: [your managed identity name]
    15.   selector: [your managed identity selector]

    where the value resourceID: [your managed identity id] is the fully qualified resource ID of the managed identity. It can be retrieved by running

    1. kubectl apply -f azure-identity-config.yaml