How to access Azure KeyVault from Asp.net Core Docker container deployed in Azure Kubernetes Service (AKS) as pod?

0
votes

I have an Asp.Net Core application that is configured to connect to Azure KeyVault using Visual Studio 2019 Connected Services:

https://docs.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service

I containerized the application with Docker and deployed it into Kubernetes as a Pod. The KeyVault connection is not working, probably because of the Managed Identity not set-up.

I tried:

  1. Added the Kubernetes agent Managed Identity to the KeyVault Acccess policies like I would do with App Services or Container Services, but does not allow the connection.
  2. Followed the docs here: https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

I wonder if the "Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes" is the right way to use KeyVault from a pod, or if there is a simpler solution like a direct connection.

2
azureasp.net-corekubernetesazure-keyvaultazure-aks

2 Answers

1
votes

The solution, for whoever is in my situation, is to use AAD-Pod Identity

There is no need to attach a CSI Driver unless you need the Secrets in the Kubernetes configuration, want total control on custom configurations, or have the cluster outside Azure.

For Asp.Net Core applications deployed to AKS, the easiest way is to use Managed Identities, and to provide that to your Kubernetes Cluster you need AAD-Pod identity.

There is not a documentation page yet, but following the Get Started instructions on GitHub is enough to get it going.

0
votes

I managed to get a secret from the Azure key vault in my pod, using Managed Identity. Just add the .identityProfile.kubeletidentity.clientId of the AKS cluster as a Key Vault policy to read the secrets. You must set this policy through the Azure Portal, because the "az keyvault set-policy" expects the --object-id to be a principalId i guess...