Tutorial: Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster
Learn how to connect to Azure Key Vault using CSI driver in an Azure Kubernetes Service (AKS) cluster with the help of Service Connector. In this tutorial, you complete the following tasks:
- Create an AKS cluster and an Azure Key Vault.
- Create a connection between the AKS cluster and the Azure Key Vault with Service Connector.
- Create a
SecretProviderClass
CRD and apod
consuming the CSI provider to test the connection. - Clean up resources.
Important
Service Connect within AKS is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Warning
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
Prerequisites
- An Azure account with an active subscription. Create an account for free.
- Install the Azure CLI, and sign in to Azure CLI by using the az login command.
- Install Dockerand kubectl, to manage container image and Kubernetes resources.
- A basic understanding of container and AKS. Get started from preparing an application for AKS.
Create Azure resources
Create a resource group for this tutorial.
az group create \ --name MyResourceGroup \ --location eastus
Create an AKS cluster with the following command, or referring to the tutorial. This is the cluster where we create the service connection, pod definition and deploy the sample application to.
az aks create \ --resource-group MyResourceGroup \ --name MyAKSCluster \ --enable-managed-identity \ --node-count 1
Connect to the cluster with the following command.
az aks get-credentials \ --resource-group MyResourceGroup \ --name MyAKSCluster
Create an Azure Key Vault with the following command, or referring to the tutorial. This is the target service that is connected to the AKS cluster and the CSI driver synchronize secrets from.
az keyvault create \ --resource-group MyResourceGroup \ --name MyKeyVault \ --location EastUS
Create a secret in the Key Vault with the following command.
az keyvault secret set \ --vault-name MyKeyVault \ --name ExampleSecret \ --value MyAKSExampleSecret
Create a service connection in AKS with Service Connector (preview)
Create a service connection between an AKS cluster and an Azure Key Vault using the Azure portal or the Azure CLI.
Open your Kubernetes service in the Azure portal and select Service Connector from the left menu.
Select Create and fill in the settings as shown below. Leave the other settings with their default values.
Setting Choice Description Kubernetes namespace default The namespace where you need the connection in the cluster. Service type Key Vault (enable CSI) Choose Key Vault as the target service type and check the option to enable CSI. Connection name keyvault_conn Use the connection name provided by Service Connector or choose your own connection name. Subscription <MySubscription>
The subscription for your Azure Key Vault target service. Key vault <MyKeyVault>
The target key vault you want to connect to. Client type Python The code language or framework you use to connect to the target service. Once the connection has been created, the Service Connector page displays information about the new connection.
Test the connection
Clone the sample repository:
git clone https://github.com/Azure-Samples/serviceconnector-aks-samples.git
Go to the repository's sample folder for Azure Key Vault:
cd serviceconnector-aks-samples/azure-keyvault-csi-provider
Replace the placeholders in the
secret_provider_class.yaml
file in theazure-keyvault-csi-provider
folder.- Replace
<AZURE_KEYVAULT_NAME>
with the name of the key vault we created and connected. You may get the value from Azure portal of Service Connector. - Replace
<AZURE_KEYVAULT_TENANTID>
with the tenant ID of the key vault. You may get the value from Azure portal of Service Connector. - Replace
<AZURE_KEYVAULT_CLIENTID>
with identity client ID of theazureKeyvaultSecretsProvider
addon. You may get the value from Azure portal of Service Connector. - Replace
<KEYVAULT_SECRET_NAME>
with the key vault secret name we created, for example,ExampleSecret
- Replace
Deploy the Kubernetes resources to your cluster with the
kubectl apply
command. Installkubectl
locally using the az aks install-cli command if it isn't installed.- Deploy the
SecretProviderClass
CRD.
kubectl apply -f secret_provider_class.yaml
- Deploy the
pod
. The command creates a pod namedsc-demo-keyvault-csi
in the default namespace of your AKS cluster.
kubectl apply -f pod.yaml
- Deploy the
Check the deployment is successful by viewing the pod with
kubectl
.kubectl get pod/sc-demo-keyvault-csi
After the pod starts, the mounted content at the volume path specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret.
- Show secrets held in the secrets store using the following command.
kubectl exec sc-demo-keyvault-csi -- ls /mnt/secrets-store/
- Display a secret in the store using the following command. This example command shows the test secret
ExampleSecret
.
kubectl exec sc-demo-keyvault-csi -- cat /mnt/secrets-store/ExampleSecret
Clean up resources
If you don't need to reuse the resources you've created in this tutorial, delete all the resources you created by deleting your resource group.
az group delete \
--resource-group MyResourceGroup
Next steps
Read the following articles to learn more about Service Connector concepts and how it helps AKS connect to services.