Identity Access Modes

The Azure Key Vault Provider offers four modes for accessing a Key Vault instance

Best Practices

Following order of access modes is recommended for Secret Store CSI driver AKV provider:

Access OptionComment
Workload Identity [RECOMMENDED]This is the most secure way to access Key Vault based on the Workload Identity Federation.
Pod Identity [NOT RECOMMENDED]AAD Pod Identity has been DEPRECATED.
This provides a way to get access to Azure resources (AKV in this case) using the managed identity bound to the Pod.
Managed Identities (System-assigned and User-assigned)Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to Azure Keyvault.
Service PrincipalThis is the last option to consider while connecting to AKV as access credentials need to be created as Kubernetes Secret and stored in plain text in etcd.

Workload Identity

Use Workload Identity to access Keyvault.

System-assigned Managed Identity

Use a System-assigned Managed Identity to access Keyvault.

User-assigned Managed Identity

Use a User-assigned Managed Identity to access Keyvault.

Service Principal

Use a Service Principal to access Keyvault.

Pod Identity

Use Pod Identity to access Keyvault.