Azure Key Vault with Managed Identities on Kubernetes

    1. Login to Azure and set the default subscription

    2. Create an Azure Key Vault in a region

    3. Create the managed identity(Optional)

      This step is required only if the AKS Cluster is provisoned without the flag “–enable-managed-identity”. If the cluster is provisioned with manahed identity, than is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.

      1. $identity = az identity create -g [your resource group] -n [you managed identity name] -o json | ConvertFrom-Json

      Below the command to retrieve the managed identity in the autogenerated scenario:

      1. az aks show -g <AKSResourceGroup> -n <AKSClusterName>

      For more detail about the roles to assign to integrate AKS with Azure Services Role Assignment.

    4. The two main scenario are:

      • Service Principal, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
      • Managed Identity, in this case the Resource Group is the one in which is deployed the AKS Service Cluster
      1. $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv

    5. Assign the Reader role to the managed identity

      For AKS cluster, the cluster resource group refers to the resource group with a MC_ prefix, which contains all of the infrastructure resources associated with the cluster like VM/VMSS.

      1. az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]

    6. Add a policy to the Key Vault so the managed identity can read secrets

    7. Enable AAD Pod Identity on AKS

      1. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
      4. kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml

    8. Save the following yaml as azure-identity-config.yaml:

      1. apiVersion: "aadpodidentity.k8s.io/v1"
      2. kind: AzureIdentity
      3. metadata:
      4.   name: [you managed identity name]
      5. spec:
      6.   type: 0
      7.   resourceID: [you managed identity id]
      8.   clientID: [you managed identity Client ID]
      9. apiVersion: "aadpodidentity.k8s.io/v1"
      10. kind: AzureIdentityBinding
      11. metadata:
      12.   name: [you managed identity name]-identity-binding
      13. spec:
      14.   azureIdentity: [you managed identity name]
      15.   selector: [you managed identity selector]

    9. Deploy the azure-identity-config.yaml:

      1. kubectl apply -f azure-identity-config.yaml

    In Kubernetes mode, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.

    1. Create azurekeyvault.yaml component file

      The component yaml uses the name of your key vault and the Cliend ID of the managed identity to setup the secret store.

    2. Apply azurekeyvault.yaml component

      1. kubectl apply -f azurekeyvault.yaml