we have connected our on-prem k8s cluster to azure using azure arc. can we use managed identity for azuthentication/authorization to connect azure vault to k8s cluster

Question

we have connected our on-prem k8s cluster to azure using azure arc. can we use managed identity for azuthentication/authorization to connect azure vault to k8s cluster

Answer 1

Hello,

Welcome to Microsoft Q&A,

You can authenticate and authorize your on-prem Kubernetes cluster (connected via Azure Arc) to access Azure Key Vault using managed identities, but since Workload Identity Federation is still in preview, it's not recommended for production yet.

Here's how you can achieve this:

Install the Azure Key Vault Secrets Provider Extension:

• This extension integrates Azure Key Vault with your Azure Arc-enabled Kubernetes cluster, enabling your pods to retrieve secrets directly from Key Vault.
  • Documentation: Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters

1. Configure Workload Identity Federation:

• Azure Arc-enabled Kubernetes supports Workload Identity, allowing Kubernetes service accounts to access Azure resources using managed identities.
  • Documentation: https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/conceptual-workload-identity

Assign Permissions to the Managed Identity:

• Grant the managed identity appropriate access policies in Azure Key Vault to allow your Kubernetes workloads to retrieve necessary secrets.
  • Documentation: Use the Azure Key Vault Secret Store extension to sync secrets to Azure Arc-enabled Kubernetes clusters

Please upvote and accept the answer if it helps!