How to access keyvault data from azure kubernetes?

Uday Kiran Reddy (ureddy) 86 Reputation points
2022-03-16T11:59:49.15+00:00

I am trying to access keyvault data from aks cluster.

By following this link: https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

The system managed identity section below link is showing for vm scale set instead of aks.
So I am trying with user managed identity section.
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access

az aks show -g devtest-large -n devtest-large-cluster --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv  

gave me output as below value

9d0d9e08-a9f2-4085-a9d2-d61ae7624943  

So for below command template

# set policy to access keys in your key vault  
az keyvault set-policy -n <keyvault-name> --key-permissions get --spn <identity-client-id>  

Below is the value I passed, but I am getting error there.

az keyvault set-policy -n devtest-large-keyvault --key-permissions get --spn d0d9e08-a9f2-4085-a9d2-d61ae7624943  
Unable to find user with spn 'd0d9e08-a9f2-4085-a9d2-d61ae7624943'  
Unable to get object id from principal name.  
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,148 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,891 questions
0 comments No comments
{count} votes

Accepted answer
  1. shiva patpi 13,146 Reputation points Microsoft Employee
    2022-03-17T01:08:05.38+00:00

    Hello @Uday Kiran Reddy (ureddy) ,
    It seems one character is missing in your SP value ?
    As per your commands above:
    az aks show -g devtest-large -n devtest-large-cluster --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
    Returned: 9d0d9e08-a9f2-4085-a9d2-d61ae7624943

    But in the next command : (First number '9' is missing in the below spn)

    az keyvault set-policy -n devtest-large-keyvault --key-permissions get --spn d0d9e08-a9f2-4085-a9d2-d61ae7624943

    Overall command would be:

    az keyvault set-policy -n devtest-large-keyvault --key-permissions get --spn 9d0d9e08-a9f2-4085-a9d2-d61ae7624943

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful