User-assigned Managed Identity
Examples
SecretProviderClass
# This is a SecretProviderClass example using user-assigned identity to access Key Vault
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-kvname-user-msi
spec:
provider: azure
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: "<client id of user assigned identity>"
keyvaultName: "kvname"
cloudName: "" # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud
objects: |
array:
- |
objectName: secret1
objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
- |
objectName: key1
objectType: key
objectVersion: ""
tenantID: "tid" # the tenant ID of the KeyVault
Podyaml
# This is a sample pod definition for using SecretProviderClass and user-assigned identity to access Key Vault
kind: Pod
apiVersion: v1
metadata:
name: busybox-secrets-store-inline-user-msi
spec:
containers:
- name: busybox
image: registry.k8s.io/e2e-test-images/busybox:1.29-4
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store01-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store01-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-kvname-user-msi"
Configure User-assigned Managed Identity to access Keyvault
In AKS you can use the User-assigned Kubelet managed identity (doesn’t support BYO today) or create your own user-assigned managed identity as described below.
You can create an AKS cluster with managed identities now and then skip steps 1 and 2. To get the
clientIDof the managed identity, run the following command:az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.clientId -o tsv
Create Azure User-assigned Managed Identity
az identity create -g <RESOURCE GROUP> -n <IDENTITY NAME>Assign Azure User-assigned Managed Identity to VM/VMSS
For VMSS:
az vmss identity assign -g <RESOURCE GROUP> -n <K8S-AGENT-POOL-VMSS> --identities <USER ASSIGNED IDENTITY RESOURCE ID>If the cluster is using
AvailabilitySet, then assign the identity to each of the VM instances:az vm identity assign -g <RESOURCE GROUP> -n <K8S-AGENT-POOL-VM> --identities <USER ASSIGNED IDENTITY RESOURCE ID>Grant User-assigned Managed Identity permission to access Keyvault
Ensure that your User-assigned Managed Identity has the role assignments required to access content in keyvault instance. Run the following Azure CLI commands to assign the roles if required:
# set policy to access keys in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID> # set policy to access secrets in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID> # set policy to access certs in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID>NOTE: If you are using the
objectVersionHistoryfunctionality, then the identity will also need the list permission:# set policy to access keys in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get,list --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID> # set policy to access secrets in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get,list --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID> # set policy to access certs in your Keyvault az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get,list --spn <USER-ASSIGNED MANAGED IDENTITY CLIENTID>Deploy your application. Specify
useVMManagedIdentitytotrueand provideuserAssignedIdentityID.useVMManagedIdentity: "true" userAssignedIdentityID: "<client id of the managed identity>"
Pros
- Supported on both Windows and Linux.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.