Identity Access Modes

The Azure Key Vault Provider offers four modes for accessing a Key Vault instance

Best Practices

Following order of access modes is recommended for Secret Store CSI driver AKV provider:

Access OptionComment
Pod IdentityThis is the most secure way to get access to Azure resources (AKV in this case) as it uses the managed identity bound to the Pod.
Managed Identities (System-assigned and User-assigned)Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to Azure Keyvault.
Service PrincipalThis is the last option to consider while connecting to AKV as access credentials need to be created as Kubernetes Secret and stored in plain text in etcd.
Also, this is the only option to connect to Azure resources from non Azure environment/cluster.

Service Principal

Use a Service Principal to access Keyvault.

Pod Identity

Use Pod Identity to access Keyvault.

User-assigned Managed Identity

Use a User-assigned Managed Identity to access Keyvault.

System-assigned Managed Identity

Use a System-assigned Managed Identity to access Keyvault.