question

SamAmin-9403 avatar image
2 Votes"
SamAmin-9403 asked CosminSontu-2544 commented

AKS - Keyvault Integration: Can I use mounted secrets volume with .Net Core configuration

Hi
I have an ASP Net Core 3.1 application hosted in a container in AKS. I want it to be able to access secrets and certificates stored in Keyvault.
I was able to follow this guide successfully all the way to being able to checking that the secret is successfully in the secret volume.
https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

But now what? Do I need to access this secret as a file stored on the file directory from my ASP Net Core application? or is there a way to hook this up to Configuration the way we usually do without AKS so that accessing Keyvault secrets is seamless?

Also, I'm unclear if after following this guide, the secrets are only loaded from Keyvault once, and stored, or will they automatically get updated if the secret is changed in Keyvault.

Thanks
Sam

azure-kubernetes-serviceazure-key-vault
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SamAmin-9403 Any update on the issue?

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

Thanks.


0 Votes 0 ·

So, I realize this answer has been accepted. But it didn't answer the actual question:

How do you get from this mounted folder of inline secrets in aks to an ASP.NET Core environmental variable / config value?

In ASP.NET core, you can add various sources of variables (appsettings, environmental variables, even ... Azure key vault source)

But the asp.net core key vault docs tall only about using "app services" managed identities (https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0#use-managed-identities-for-azure-resources), not AKS managed identities from running pods.

Will this work? Or do we need to write a CSI custom provider to look in a specific folder where these vault keys are mounted?

At least that is what I feel like the OP was asking, I may be wrong.

0 Votes 0 ·

1 Answer

prmanhas-MSFT avatar image
1 Vote"
prmanhas-MSFT answered CosminSontu-2544 commented

@SamAmin-9403 Using the pod identity project enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. Key vault can be used to store these secret contents.

When applications need a credential, they communicate with the digital vault, retrieve the latest secret contents, and then connect to the required service. The simplified workflow for retrieving a credential from Azure Key Vault using pod managed identities is shown in the following diagram:

18749-image.png

With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the Azure Key Vault provider for the Secrets Store CSI Driver. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. You can use a pod managed identity to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver.

You can read more about it here.

Your application can directly access the Secrets via Application since Managed Identity enable the application to have required access.

Fetching secret from Keyvault is dynamic process so whever you update secret it will be updated in mounted volume.

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics







image.png (25.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@prmanhas-MSFT This doesn't answer this part of the question:

Do I need to access this secret as a file stored on the file directory from my ASP Net Core application? or is there a way to hook this up to Configuration the way we usually do without AKS so that accessing Keyvault secrets is seamless?

4 Votes 4 ·

Did you ever establish an answer on this? I wonder what the mounted secrets volume looks like to a .net core application - are they JSON files for example? or base 64 encoded files named by secret name? None of this is really clear is it..

0 Votes 0 ·

Once mounted, the volume containing the secrets will have each secret (key=value) stored as a file with he name "key" containing value as plain text.
Now the definitive answer would point you to a ASP.NET Configuration provider that can read config entries in this format : files in a folder, where filenames are keys and file contents are values.

I found the information on how secrets are store in the mounted volume here: https://azure.github.io/secrets-store-csi-driver-provider-azure/demos/standard-walkthrough/

I am not sure though if this is secure, considering anyone who can connect to pods and run commands can see the secrets.

0 Votes 0 ·