Using secretclass provider to use key vault from a different resource group to AKS

Question

Hello,

I am trying to access Keyvault secrets within my AKS cluster. Currently using helmdeploy task to accomplish this with secretproviderclass. There is no option to declare that the Key Vault is in a different resource group, am assuming just the name of the key vault in the values file should suffice assuming that this is at subscription scope. The helm deploy works with no errors but I still cant see my keyvault name when i use kubectl to get secrets. I am bit of a novice when it comes to integrating services. Any help is much appreciated.

Thanks & Regards
Sunny

Answer 1

Hello @Sunny ,
If the keyvault is under the same subscription and as the name of the keyvault is always unique , hence no need to mention the complete path.
You won't be able to see the keyvault name any where by using kubectl get secrets - Basically that SecretProvideClass is mainly used to mount the secrets by fetching from the keyvault either at the POD creation time as a part of ENV variables or after pod creation if the application wants to retrieve the secrets from keyvault !

Couple of examples how to retrieve the secrets from keyvault

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

Mounting Secrets:
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret
Using Environment variables to access secrets via YAML:
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret