stackoom
  简体   繁体   中英

How to access Azure Key Vault (AKV) from Azure Kubernetes Service (AKS) using Managed Identities

 原文  2019-09-15 01:30:30       azure/ azure-keyvault/ azure-aks/ azure-managed-identity

Question

We have some dotnet Core App Services running on Azure and using Azure key Vault with Managed Identities.

Planning to deploy these dotnet core services to azure kubernetes but I haven't found any relevant document/support to use AKV with Kubernetes Services. Any Guidance or references

1 answers

solution1
 3  2019-09-15 06:24:44

There are a couple of options to access KV from AKS:

  • Use Azure Key Vault with FlexVol ( deprecated . continue to use this for kubernetes version 1.15)

    With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using a FlexVolume. The FlexVolume driver lets the AKS cluster natively retrieve credentials from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Key Vault FlexVol driver onto the AKS nodes. You can use a pod managed identity to request access to Key Vault and retrieve the credentials you need through the FlexVolume driver.

    Azure Key Vault with FlexVol is intended for use with applications and services running on Linux pods and nodes.

  • Use Azure Key Vault Provider for Secrets Store CSI Driver (For kubernetes 1.16+)

    Azure Key Vault provider for Secrets Store CSI driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.

  • Use pod managed identities

    A managed identity for Azure resources lets a pod authenticate itself against any service in Azure that supports it such as Storage, SQL. The pod is assigned an Azure Identity that lets them authenticate to Azure Active Directory and receive a digital token. This digital token can be presented to other Azure services that check if the pod is authorized to access the service and perform the required actions. This approach means that no secrets are required for database connection strings, for example.

I found the pod identity approach easier as you don't need to change your code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Accessing Azure Key Vault from JAVA Azure App Service using managed identities Azure Identity and Key Vault: How to use managed identities to authenticate? How to access Key Vault with Azure Managed Service Identity in node? Azure AKS/Container App can't access Key vault using managed identity How to assign System Managed Identities access to a Key Vault using a loop? Azure key vault how to identify different identities assigned in access policies AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service Azure kubernetes - java spring app & managed identity to access key vault? Azure Key Vault - List all Apps (Managed Identities) requesting secretes Azure DevOps - ARM deployment - Key Vault and Managed Identities
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM