Identity Access Modes

The Azure Key Vault Provider offers four modes for accessing a Key Vault instance

Best Practices

Following order of access modes is recommended for Secret Store CSI driver AKV provider:

Access OptionComment
Workload Identity (Preview)This is currently in preview. It’s a secure way to access Key Vault based on the Workload Identity Federation.
Pod IdentityThis is the most secure way to get access to Azure resources (AKV in this case) as it uses the managed identity bound to the Pod.
Managed Identities (System-assigned and User-assigned)Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to Azure Keyvault.
Service PrincipalThis is the last option to consider while connecting to AKV as access credentials need to be created as Kubernetes Secret and stored in plain text in etcd.

Service Principal

Use a Service Principal to access Keyvault.

Workload Identity (Preview)

Use Workload Identity to access Keyvault.

Pod Identity

Use Pod Identity to access Keyvault.

User-assigned Managed Identity

Use a User-assigned Managed Identity to access Keyvault.

System-assigned Managed Identity

Use a System-assigned Managed Identity to access Keyvault.

Last modified February 16, 2022: feat: add workload identity (#778) (07b6ace)