I have an Asp.Net Core application that is configured to connect to Azure KeyVault using Visual Studio 2019 Connected Services:
https://docs.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service
I containerized the application with Docker and deployed it into Kubernetes as a Pod. The KeyVault connection is not working, probably because of the Managed Identity not set-up.
I tried:
I wonder if the "Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes" is the right way to use KeyVault from a pod, or if there is a simpler solution like a direct connection.
The solution, for whoever is in my situation, is to use AAD-Pod Identity
There is no need to attach a CSI Driver unless you need the Secrets in the Kubernetes configuration, want total control on custom configurations, or have the cluster outside Azure.
For Asp.Net Core applications deployed to AKS, the easiest way is to use Managed Identities, and to provide that to your Kubernetes Cluster you need AAD-Pod identity.
There is not a documentation page yet, but following the Get Started instructions on GitHub is enough to get it going.
I managed to get a secret from the Azure key vault in my pod, using Managed Identity. Just add the .identityProfile.kubeletidentity.clientId of the AKS cluster as a Key Vault policy to read the secrets. You must set this policy through the Azure Portal, because the "az keyvault set-policy" expects the --object-id to be a principalId i guess...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.