![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 76%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,118 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 74%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hello Rajesh Jaladi,
Welcome to microsoft Q&A, Thankyou for posting your query here.
Your SecretProviderClass configuration looks generally correct, mapping Azure Key Vault secrets to file paths.
To use them as environment variables,you need to enable the syncing of secrets to Kubernetes secrets.
SecretProviderClass.yml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: secretProviderClass
metadata:
name: azure-kv-name
spec:
provider: azure
parameters:
usePodIdentity: "true"
clientID: <redacted>
keyvaultName: <redacted>
objects: |
array:
- |
objectName: AZURE-CLIENT-ID
objectType: string
objectAlias: AZURE_CLIENT_ID
- |
objectName: AZURE-CLIENT-SECRET
objectType: string
objectAlias: AZURE_CLIENT_SECRET
- |
objectName: EXAMPLESECRET
objectType: secret
objectAlias: EXAMPLESECRET
- |
objectName: POSTGRES-HOST
objectType: secret
objectAlias: POSTGRES_HOST
- |
objectName: POSTGRES-PORT
objectType: secret
objectAlias: POSTGRES_PORT
- |
objectName: POSTGRES-USER
objectType: secret
objectAlias: POSTGRES_USER
- |
objectName: POSTGRES-PASSWORD
objectType: secret
objectAlias: POSTGRES_PASSWORD
tenantId: <redacted>
secretObjects:
- secretName: azure-secrets
type: Opaque
data:
- key: AZURE_CLIENT_ID
objectName: AZURE_CLIENT_ID
- key: AZURE_CLIENT_SECRET
objectName: AZURE_CLIENT_SECRET
- key: EXAMPLESECRET
objectName: EXAMPLESECRET
- key: POSTGRES_HOST
objectName: POSTGRES_HOST
- key: POSTGRES_PORT
objectName: POSTGRES_PORT
- key: POSTGRES_USER
objectName: POSTGRES_USER
- key: POSTGRES_PASSWORD
objectName: POSTGRES_PASSWORD
In your deployment YAML, the environment variable references should be adjusted to reference the Kubernetes secret created by the CSI driver
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: backstage
namespace: backstage-dev
spec:
replicas: 1
selector:
matchLabels:
app: backstage
template:
metadata:
labels:
app: backstage
spec:
imagePullSecrets:
- name: <redacted>
containers:
- name: backstage
image: <redacted>
env:
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-secrets
key: AZURE_CLIENT_ID
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-secrets
key: AZURE_CLIENT_SECRET
- name: EXAMPLESECRET
valueFrom:
secretKeyRef:
name: azure-secrets
key: EXAMPLESECRET
Hope this helps you.
If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!