Workload Identity
Use Workload Identity to access Keyvault.
Identity Access Modes
The Azure Key Vault Provider offers four modes for accessing a Key Vault instance
Best Practices
Following order of access modes is recommended for Secret Store CSI driver AKV provider:
| Access Option | Comment |
|---|---|
| Workload Identity [RECOMMENDED] | This is the most secure way to access Key Vault based on the Workload Identity Federation. |
| Pod Identity [NOT RECOMMENDED] | AAD Pod Identity has been DEPRECATED. This provides a way to get access to Azure resources (AKV in this case) using the managed identity bound to the Pod. |
| Managed Identities (System-assigned and User-assigned) | Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to Azure Keyvault. |
| Service Principal | This is the last option to consider while connecting to AKV as access credentials need to be created as Kubernetes Secret and stored in plain text in etcd. |
System-assigned Managed Identity
Use a System-assigned Managed Identity to access Keyvault.
User-assigned Managed Identity
Use a User-assigned Managed Identity to access Keyvault.
Service Principal
Use a Service Principal to access Keyvault.
Pod Identity
Use Pod Identity to access Keyvault.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified November 9, 2022: docs: add note about pod identity deprecation (#1018) (b31eece)