Azure Key Vault secret store

Detailed information on the Azure Key Vault secret store component

Note

Azure Managed Identity can be used for Azure Key Vault access on Kubernetes. Instructions here.

Component format

To setup Azure Key Vault secret store create a component of type secretstores.azure.keyvault. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

See also configure the component guide in this page.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: azurekeyvault
  5. namespace: default
  6. spec:
  7. type: secretstores.azure.keyvault
  8. version: v1
  9. metadata:
  10. - name: vaultName
  11. value: [your_keyvault_name]
  12. - name: spnTenantId
  13. value: "[your_service_principal_tenant_id]"
  14. - name: spnClientId
  15. value: "[your_service_principal_app_id]"
  16. value : "[pfx_certificate_contents]"
  17. - name: spnCertificateFile
  18. value : "[pfx_certificate_file_fully_qualified_local_path]"

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Spec metadata fields

Self-Hosted

FieldRequiredDetailsExample
vaultNameYThe name of the Azure Key Vault“mykeyvault”
spnTenantIdYService Principal Tenant Id“spnTenantId”
spnClientIdYService Principal App Id“spnAppId”
spnCertificateFileYPFX certificate file path.

For Windows the [pfx_certificate_file_fully_qualified_local_path] value must use escaped backslashes, i.e. double backslashes. For example “C:\folder1\folder2\certfile.pfx”.

For Linux you can use single slashes. For example “/folder1/folder2/certfile.pfx”.

See configure the component for more details
“C:\folder1\folder2\certfile.pfx”, “/folder1/folder2/certfile.pfx”

Kubernetes

FieldRequiredDetailsExample
vaultNameYThe name of the Azure Key Vault“mykeyvault”
spnTenantIdYService Principal Tenant Id“spnTenantId”
spnClientIdYService Principal App Id“spnAppId”
spnCertificateYPKCS 12 encoded bytes of the certificate. See configure the component for details on encoding this in a Kubernetes secret.secretKeyRef: …
See configure the component for more information.

Setup Key Vault and service principal

Prerequisites

Steps

  1. Login to Azure and set the default subscription

    1. # Log in Azure
    2. az login
    3. # Set your subscription to the default subscription
    4. az account set -s [your subscription id]
  2. Create an Azure Key Vault in a region

    1. az keyvault create --location [region] --name [your_keyvault] --resource-group [your resource group]
  3. Create a service principal

    Create a service principal with a new certificate and store the 1-year certificate inside your keyvault’s certificate vault. You can skip this step if you want to use an existing service principal for keyvault instead of creating new one

    1. az ad sp create-for-rbac --name [your_service_principal_name] --create-cert --cert [certificate_name] --keyvault [your_keyvault] --skip-assignment --years 1
    2. {
    3. "appId": "a4f90000-0000-0000-0000-00000011d000",
    4. "displayName": "[your_service_principal_name]",
    5. "name": "http://[your_service_principal_name]",
    6. "password": null,
    7. "tenant": "34f90000-0000-0000-0000-00000011d000"
    8. }

    Save both the appId and tenant from the output which will be used in the next step

  4. Get the Object Id for [your_service_principal_name]

    1. az ad sp show --id [service_principal_app_id]
    2. {
    3. ...
    4. "objectId": "[your_service_principal_object_id]",
    5. "objectType": "ServicePrincipal",
    6. ...
    7. }
  5. Grant the service principal the GET permission to your Azure Key Vault

    1. az keyvault set-policy --name [your_keyvault] --object-id [your_service_principal_object_id] --secret-permissions get

    Now that your service principal has access to your keyvault you are ready to configure the secret store component to use secrets stored in your keyvault to access other components securely.

  6. Download the certificate in PFX format from your Azure Key Vault either using the Azure portal or the Azure CLI:

  • Using the Azure portal:

    Go to your key vault on the Azure portal and navigate to the Certificates tab under Settings. Find the certificate that was created during the service principal creation, named [certificate_name] and click on it.

    Click Download in PFX/PEM format to download the certificate.

  • Using the Azure CLI:

    1. az keyvault secret download --vault-name [your_keyvault] --name [certificate_name] --encoding base64 --file [certificate_name].pfx

Configure the component

  1. Copy downloaded PFX cert from your Azure Keyvault into your components directory or a secure location on your local disk

  2. Create a file called azurekeyvault.yaml in the components directory

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Component
    3. metadata:
    4. name: azurekeyvault
    5. namespace: default
    6. spec:
    7. type: secretstores.azure.keyvault
    8. version: v1
    9. metadata:
    10. - name: vaultName
    11. value: [your_keyvault_name]
    12. - name: spnTenantId
    13. value: "[your_service_principal_tenant_id]"
    14. - name: spnClientId
    15. value: "[your_service_principal_app_id]"
    16. - name: spnCertificateFile
    17. value : "[pfx_certificate_file_fully_qualified_local_path]"

Fill in the metadata fields with your Key Vault details from the above setup process.

In Kubernetes, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.

  1. Create a kubernetes secret using the following command:

    1. kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[your_k8s_spn_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
  • [pfx_certificate_file_fully_qualified_local_path] is the path of PFX cert file you downloaded above
  • [your_k8s_spn_secret_name] is secret name in Kubernetes secret store
  • [your_k8s_spn_secret_key] is secret key in Kubernetes secret store
  1. Create a azurekeyvault.yaml component file

The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the certificate stored in Kubernetes secret store.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: azurekeyvault
  5. namespace: default
  6. spec:
  7. type: secretstores.azure.keyvault
  8. version: v1
  9. metadata:
  10. - name: vaultName
  11. value: [your_keyvault_name]
  12. - name: spnTenantId
  13. value: "[your_service_principal_tenant_id]"
  14. - name: spnClientId
  15. value: "[your_service_principal_app_id]"
  16. - name: spnCertificate
  17. secretKeyRef:
  18. name: [your_k8s_spn_secret_name]
  19. key: [your_k8s_spn_secret_key]
  20. auth:
  21. secretStore: kubernetes
  1. Apply azurekeyvault.yaml component
  1. kubectl apply -f azurekeyvault.yaml

References

Last modified May 26, 2021: Update to point to 1.2 (#1518) (c690379)