Share via

AKS - Keyvault Integration: Can I use mounted secrets volume with .Net Core configuration

Anonymous
2020-08-19T04:51:36.603+00:00

Hi
I have an ASP Net Core 3.1 application hosted in a container in AKS. I want it to be able to access secrets and certificates stored in Keyvault.
I was able to follow this guide successfully all the way to being able to checking that the secret is successfully in the secret volume.
https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

But now what? Do I need to access this secret as a file stored on the file directory from my ASP Net Core application? or is there a way to hook this up to Configuration the way we usually do without AKS so that accessing Keyvault secrets is seamless?

Also, I'm unclear if after following this guide, the secrets are only loaded from Keyvault once, and stored, or will they automatically get updated if the secret is changed in Keyvault.

Thanks
Sam

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,457 questions
Accepted answer
  1. prmanhas-MSFT 17,946 Reputation points Microsoft Employee Moderator
    2020-08-19T11:34:45.623+00:00

    @Anonymous Using the pod identity project enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. Key vault can be used to store these secret contents.

    When applications need a credential, they communicate with the digital vault, retrieve the latest secret contents, and then connect to the required service. The simplified workflow for retrieving a credential from Azure Key Vault using pod managed identities is shown in the following diagram:

    18749-image.png

    With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the Azure Key Vault provider for the Secrets Store CSI Driver. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. You can use a pod managed identity to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver.

    You can read more about it here.

    Your application can directly access the Secrets via Application since Managed Identity enable the application to have required access.

    Fetching secret from Keyvault is dynamic process so whever you update secret it will be updated in mounted volume.

    Hope it helps!!!

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.