Configuring workload identity to access a Key Vault using an Azure AD Application

Upgrade an existing AKS cluster with Azure Key Vault provider for Secrets Store CSI Driver support

Upgrade an existing AKS cluster with Azure Key Vault provider for Secrets Store CSI Driver capability using the az aks enable-addons command and enable the azure-keyvault-secrets-provider add-on.

az aks enable-addons --addons azure-keyvault-secrets-provider --name <myAKSCluster> --resource-group <myResourceGroup>

Replace the cluster and resource group values accordingly.

Verify the Azure Key Vault provider for Secrets Store CSI Driver installation

1. Verify that the installation is finished using the kubectl get pods command, which lists all pods with the secrets-store-csi-driver and the secrets-store-provider-azure labels in the kube-system namespace.

   kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver,secrets-store-provider-azure)'

   Your output should look similar to the following example output:

   NAME	READY	STATUS	RESTARTS	AGE
   aks-secrets-store-csi-driver-4vpkj	3/3	Running	2	4m25s
   aks-secrets-store-csi-driver-ctjq6	3/3	Running	2	4m21s
   aks-secrets-store-csi-driver-tlvlq	3/3	Running	2	4m24s
   aks-secrets-store-provider-azure-5p4nb	1/1	Running	0	4m21s
   aks-secrets-store-provider-azure-6pqmv	1/1	Running	0	4m24s
   aks-secrets-store-provider-azure-f5qlm	1/1	Running	0	0 4m25s

2. Verify that each node in your cluster's node pool has a Secrets Store CSI Driver pod and a Secrets Store Provider Azure pod running.

Create or use an existing Azure Key Vault

1. Use the following commands to Create or update a key vault in Azure.

   ## Create a new Azure key vault

   ## Update an existing Azure key vault

   az keyvault create -n <keyvault-name> -g <myResourceGroup> -l <eastus2>

   az keyvault update -n <keyvault-name> -g <myResourceGroup> -l <eastus2>

   Note: eastus2 location name must in lowercase letters.

2. Populate the Key Vault in the AKS resource group with the secrets that are required for WorkZone deployment. The key vault can store keys, secrets, and certificates.

3. Download and run the script in Azure CLI to add the secrets required for WorkZone deployment.

   Link to script https://dev.azure.com/workzone-kmddk/WorkZone/_git/DevOps-Cloud?path=/infrastructure/Set-EnvSecrets.ps1

Configure workload identity to access Key Vault

Create an Azure AD Application or use an existing application.

# environment variables for the AAD application

export APPLICATION_NAME="<your application name>"

az ad sp create-for-rbac --name "${APPLICATION_NAME}"

export APPLICATION_CLIENT_ID=$(az ad sp list --display-name ${APPLICATION_NAME} --query '[0].appId' -otsv)

Grant workload identity permission to access Key Vault

1. Ensure that your Azure AD Application has the role assignments required to access content in the keyvault instance.

2. Run the following Azure CLI commands to assign the roles, if required:

   # set policy to access keys in your Keyvault

   az keyvault set-policy -n <KEYVAULT_NAME> --key-permissions get --spn <APPLICATION_CLIENT_ID>

   # set policy to access secrets in your Keyvault

   az keyvault set-policy -n <KEYVAULT_NAME> --secret-permissions get --spn <APPLICATION_CLIENT_ID>

   # set policy to access certs in your Keyvault

   az keyvault set-policy -n <KEYVAULT_NAME> --certificate-permissions get --spn <APPLICATION_CLIENT_ID>

   Note: To set policy access Keys, Secrets, Certificate make sure to use Application client ID.

Establish federated identity credential between the workload identity and the service account issuer & subject

Update an existing AKS cluster with OIDC Issuer

You can update an AKS cluster using the az aks update command with the --enable-oidc-issuer parameter to use the OIDC Issuer. The following example updates a cluster named myAKSCluster:

az aks update -g <myResourceGroup> -n <myAKSCluster> --enable-oidc-issuer

Get the AKS cluster OIDC Issuer URL

1To get the OIDC Issuer URL, run the az aks show command. Replace the default values for the cluster name and the resource group name.

az aks show --resource-group <resource_group> --name <cluster_name> --query "oidcIssuerProfile.issuerUrl" -otsv

Create a service account

Create service account using below command:

kubectl create serviceaccount <service account name> -n <namespace>

Example:

kubectl create serviceaccount azkvsa -n workzone

Establish federated identity credential

Using Azure AD Application:

1. Prepare the params.json file by replacing the necessary values.

   
   		{
     "name": "kubernetes-federated-credential",
     "issuer": "<OIDC Issuer URL>",
     "subject": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}",
     "description": "Kubernetes service account federated credential",
     "audiences": [
       "api://AzureADTokenExchange"
     ]
   }
   			

2. Add the federated identity credential. To add the federated identity credential, use the below command:

   az ad app federated-credential create --id "<APPLICATION_CLIENT_ID>" --parameters <path-of-params.json-file>

   Example:

   az ad app federated-credential create --id "<APPLICATION_CLIENT_ID>" --parameters C:\Users\Z8USR\Documents\werftestdoc\params.json

Deploy secretproviderclass and application

Set the clientID in the SecretProviderClass to the client ID of the AAD application.

Example:

clientID: "<APPLICATION_CLIENT_ID>"

Refer to the link: Using the Azure Key Vault Provider | Azure Key Vault Provider for Secrets Store CSI Driver.

Refer to the link: Access Azure Key Vault with the CSI Driver Identity Provider - Azure Kubernetes Service.