Tutorial: Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster

Learn how to connect to Azure Key Vault using CSI driver in an Azure Kubernetes Service (AKS) cluster with the help of Service Connector. In this tutorial, you complete the following tasks:

  • Create an AKS cluster and an Azure Key Vault.
  • Create a connection between the AKS cluster and the Azure Key Vault with Service Connector.
  • Create a SecretProviderClass CRD and a pod consuming the CSI provider to test the connection.
  • Clean up resources.

Important

Service Connect within AKS is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Warning

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

Prerequisites

Create Azure resources

  1. Create a resource group for this tutorial.

    az group create \
        --name MyResourceGroup \
        --location eastus
    
  2. Create an AKS cluster with the following command, or referring to the tutorial. This is the cluster where we create the service connection, pod definition and deploy the sample application to.

    az aks create \
        --resource-group MyResourceGroup \
        --name MyAKSCluster \
        --enable-managed-identity \
        --node-count 1
    
  3. Connect to the cluster with the following command.

    az aks get-credentials \
        --resource-group MyResourceGroup \
        --name MyAKSCluster
    
  4. Create an Azure Key Vault with the following command, or referring to the tutorial. This is the target service that is connected to the AKS cluster and the CSI driver synchronize secrets from.

    az keyvault create \
        --resource-group MyResourceGroup \  
        --name MyKeyVault \
        --location EastUS
    
  5. Create a secret in the Key Vault with the following command.

    az keyvault secret set \
        --vault-name MyKeyVault \
        --name ExampleSecret \
        --value MyAKSExampleSecret
    

Create a service connection in AKS with Service Connector (preview)

Create a service connection between an AKS cluster and an Azure Key Vault using the Azure portal or the Azure CLI.

  1. Open your Kubernetes service in the Azure portal and select Service Connector from the left menu.

  2. Select Create and fill in the settings as shown below. Leave the other settings with their default values.

    Setting Choice Description
    Kubernetes namespace default The namespace where you need the connection in the cluster.
    Service type Key Vault (enable CSI) Choose Key Vault as the target service type and check the option to enable CSI.
    Connection name keyvault_conn Use the connection name provided by Service Connector or choose your own connection name.
    Subscription <MySubscription> The subscription for your Azure Key Vault target service.
    Key vault <MyKeyVault> The target key vault you want to connect to.
    Client type Python The code language or framework you use to connect to the target service.
  3. Once the connection has been created, the Service Connector page displays information about the new connection.

    Screenshot of the Azure portal, viewing kubernetes resources created by Service Connector.

Test the connection

  1. Clone the sample repository:

    git clone https://github.com/Azure-Samples/serviceconnector-aks-samples.git
    
  2. Go to the repository's sample folder for Azure Key Vault:

    cd serviceconnector-aks-samples/azure-keyvault-csi-provider
    
  3. Replace the placeholders in the secret_provider_class.yaml file in the azure-keyvault-csi-provider folder.

    • Replace <AZURE_KEYVAULT_NAME> with the name of the key vault we created and connected. You may get the value from Azure portal of Service Connector.
    • Replace <AZURE_KEYVAULT_TENANTID> with the tenant ID of the key vault. You may get the value from Azure portal of Service Connector.
    • Replace <AZURE_KEYVAULT_CLIENTID> with identity client ID of the azureKeyvaultSecretsProvider addon. You may get the value from Azure portal of Service Connector.
    • Replace <KEYVAULT_SECRET_NAME> with the key vault secret name we created, for example, ExampleSecret
  4. Deploy the Kubernetes resources to your cluster with the kubectl apply command. Install kubectl locally using the az aks install-cli command if it isn't installed.

    1. Deploy the SecretProviderClass CRD.
    kubectl apply -f secret_provider_class.yaml
    
    1. Deploy the pod. The command creates a pod named sc-demo-keyvault-csi in the default namespace of your AKS cluster.
    kubectl apply -f pod.yaml
    
  5. Check the deployment is successful by viewing the pod with kubectl.

    kubectl get pod/sc-demo-keyvault-csi
    
  6. After the pod starts, the mounted content at the volume path specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret.

    • Show secrets held in the secrets store using the following command.
    kubectl exec sc-demo-keyvault-csi -- ls /mnt/secrets-store/
    
    • Display a secret in the store using the following command. This example command shows the test secret ExampleSecret.
    kubectl exec sc-demo-keyvault-csi -- cat /mnt/secrets-store/ExampleSecret
    

Clean up resources

If you don't need to reuse the resources you've created in this tutorial, delete all the resources you created by deleting your resource group.

az group delete \
    --resource-group MyResourceGroup

Next steps

Read the following articles to learn more about Service Connector concepts and how it helps AKS connect to services.