Azure Key Vault secret store

To setup Azure Key Vault secret store create a component of type . See on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

See also guide in this page.

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as or a local file to bootstrap secure key storage.

Authenticating with Azure AD

The Azure Key Vault secret store component supports authentication with Azure AD only. Before you enable this component, make sure you’ve read the Authenticating to Azure document and created an Azure AD application (also called Service Principal). Alternatively, make sure you have created a managed identity for your application platform.

Additionally, you must provide the authentication fields as explained in the document.

Create the Azure Key Vault and authorize the Service Principal

  • Azure CLI
  • The scripts below are optimized for a bash or zsh shell

Make sure you have followed the steps in the Authenticating to Azure document to create an Azure AD application (also called Service Principal). You will need the following values:

  • SERVICE_PRINCIPAL_ID: the ID of the Service Principal that you created for a given application

Steps

  1. Set a variable with the Service Principal that you created:
  1. SERVICE_PRINCIPAL_ID="[your_service_principal_object_id]"
  1. Set a variable with the location where to create all resources:
  1. LOCATION="[your_location]"

(You can get the full list of options with: az account list-locations --output tsv)

  1. Create a Resource Group, giving it any name you’d like:
  1. RG_NAME="[resource_group_name]"
  2. RG_ID=$(az group create \
  3.   --name "${RG_NAME}" \
  4.   --location "${LOCATION}" \
  5.   | jq -r .id)
  1. Create an Azure Key Vault (that uses Azure RBAC for authorization):
  1. KEYVAULT_NAME="[key_vault_name]"
  2. az keyvault create \
  3.   --name "${KEYVAULT_NAME}" \
  4.   --enable-rbac-authorization true \
  5.   --resource-group "${RG_NAME}" \
  6.   --location "${LOCATION}"
  1. Using RBAC, assign a role to the Azure AD application so it can access the Key Vault.
    In this case, assign the “Key Vault Crypto Officer” role, which has broad access; other more restrictive roles can be used as well, depending on your application.

To use a client secret, create a file called azurekeyvault.yaml in the components directory, filling in with the Azure AD application that you created following the Authenticating to Azure document:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: azurekeyvault
  5.   namespace: default
  6. spec:
  7.   type: secretstores.azure.keyvault
  8.   version: v1
  9.   metadata:
  10.   - name: vaultName
  11.     value: "[your_keyvault_name]"
  12.   - name: azureTenantId
  13.     value: "[your_tenant_id]"
  14.   - name: azureClientId
  15.     value: "[your_client_id]"
  16.   - name: azureClientSecret
  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: azurekeyvault
  6. spec:
  7.   type: secretstores.azure.keyvault
  8.   version: v1
  9.   metadata:
  10.   - name: vaultName
  11.     value: "[your_keyvault_name]"
  12.   - name: azureTenantId
  13.     value: "[your_tenant_id]"
  14.   - name: azureClientId
  15.     value: "[your_client_id]"
  16.   - name: azureCertificateFile
  17.     value : "[pfx_certificate_file_fully_qualified_local_path]"

In Kubernetes, you store the client secret or the certificate into the Kubernetes Secret Store and then refer to those in the YAML file. You will need the details of the Azure AD application that was created following the document.

To use a client secret:

  1. Create a Kubernetes secret using the following command:

    1. kubectl create secret generic [your_k8s_secret_name] --from-literal=[your_k8s_secret_key]=[your_client_secret]
    • [your_client_secret] is the application’s client secret as generated above
    • [your_k8s_secret_name] is secret name in the Kubernetes secret store
    • [your_k8s_secret_key] is secret key in the Kubernetes secret store

  2. Create an azurekeyvault.yaml component file.

    The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the client secret stored in the Kubernetes secret store.

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Component
    3. metadata:
    4.   name: azurekeyvault
    5.   namespace: default
    6. spec:
    7.   type: secretstores.azure.keyvault
    8.   version: v1
    9.   metadata:
    10.   - name: vaultName
    11.     value: "[your_keyvault_name]"
    12.   - name: azureTenantId
    13.     value: "[your_tenant_id]"
    14.   - name: azureClientId
    15.     value: "[your_client_id]"
    16.   - name: azureClientSecret
    17.     secretKeyRef:
    18.       name: "[your_k8s_secret_name]"
    19.       key: "[your_k8s_secret_key]"
    20. auth:
    21.   secretStore: kubernetes

  3. Apply the azurekeyvault.yaml component:

To use a certificate:

  1. Create a Kubernetes secret using the following command:

    1. kubectl create secret generic [your_k8s_secret_name] --from-file=[your_k8s_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
    • [pfx_certificate_file_fully_qualified_local_path] is the path of PFX file you obtained earlier
    • [your_k8s_secret_name] is secret name in the Kubernetes secret store
    • is secret key in the Kubernetes secret store

  2. Apply the azurekeyvault.yaml component:

    1. kubectl apply -f azurekeyvault.yaml

To use Azure managed identity:

  1. Ensure your AKS cluster has managed identity enabled and follow the guide for using managed identities.

  2. Create an azurekeyvault.yaml component file.

    The component yaml refers to a particular KeyVault name. The managed identity you will use in a later step must be given read access to this particular KeyVault instance.

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Component
    3. metadata:
    4.   name: azurekeyvault
    5.   namespace: default
    6. spec:
    7.   type: secretstores.azure.keyvault
    8.   version: v1
    9.   metadata:
    10.   - name: vaultName
    11.     value: "[your_keyvault_name]"

  3. Apply the azurekeyvault.yaml component:

  4. Create and use a managed identity / pod identity by following . After creating an AKS pod identity, give this identity read permissions on your desired KeyVault instance, and finally in your application deployment inject the pod identity via a label annotation:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: mydaprdemoapp
  5.   labels:

References