Azure AKS - give entire cluster access to Azure Key Vault

Question

I'm trying to find a way to give an entire AKS cluster to Azure Key vault. I have temporarily got this working by following the below process:

Go to the VMSS of the cluster -> Identity -> Set System Assigned Status to 'On'
Add this Managed identity as an access policy to Key Vault.

This works, however whenever I stop and start the cluster, I have to re-create this managed identity in the vmss and re-add it to Key Vault. I have tried using the User Assigned Identities for the vmss as well but that does not seem to work.

I also cannot use the azure pod identities/CSI features for other reasons so I'm just looking for a simple way to give my cluster permanent access to key Vault.

Thanks in advance

Answer 1

@D'Antico1, Alexander

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Azure AD Workload Identity is the new approach which "binds" Service Principle to service account and offer native access as long as you are using latest official Azure client library for authentication. Please follow steps just for the keyvault situation you are looking at (Ref:https://azure.github.io/azure-workload-identity/docs/quick-start.html).

Assigning managed identities will have manual steps and AKS doesn't support or endorse manually modifying resources inside the node resource group.

Hope that helps.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.