This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
Good morning.
I'm trying to connect a kubernetes cluster running on prem in our DC with Azure's key vault and container registry.
I cannot find any exhaustive documentation on how to do that (everything revolves around AKS).
Is it possible to achieve what I'm after?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Andrea Florio ,this should be possible if you are able to create a cloud identity as well for you k8s cluster on-prem..
The below links can be helpful to implement the same.
ACR => https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
KV => https://github.com/Azure/secrets-store-csi-driver-provider-azure
Hello,
i am bit new to azure, so i apologize if the question looks dumb..
i don't see any reference to a "cloud" identity , but only to AD identity, service principal or Managed identity ..
@Andrea Florio , what I mean by cloud identity is that the AKS cluster must have a corresponding identity in Azure AD to be able to authenticate with ACR and store secrets in Azure Key Vault. Since your k8s cluster is on-prem, it has an on-prem identity, and not any Azure AD identity. So creation of Azure AD identity is required to implement your requirement.
@Andrea Florio , hope my answer helped? please do accept as answer if you found the information useful, and don't hesitate to reach out for any queries.
Hello,
the answer gives me a direction but i'm struggling to understand how i create the identity and assign it to the on prem cluster.
I have asked help internally to my team handling most of the azure stuff but i haven't got anything back from them yet making me think they don't know how to do it either.
the reason why i didn't accept it as an answer yet, is because, i haven't been able to implement it and get a valid result yet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 57.99999999999999%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Hi @Andrea Florio ,
I'm also looking into do something like that. I have not tried this yet but this may be able to help you a little more:
Is your on-prem synched with Azure AD?
I believe you may need to do something like this: https://learn.microsoft.com/en-us/answers/questions/523856/how-to-use-vms-with-azuread.html
Than will depend on the VM/Server OS. is Your k8 running on Linux?: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
Once the identity is installed you should be able to see it when creating a Vault Policy.
Case it becomes to hard, you can drop that approach and try to use an Azure Service Principal :
https://dev.to/azure/azure-tip-how-to-get-your-kubernetes-cluster-service-principal-and-use-it-to-access-other-azure-services-2735
Once you have k8 with Service Principal, you just need to create a vault policy for the service principal