I'm about to create a new Azure AKS cluster and I want to integrate AKS with Azure Key Vault.
A few months ago, during the study phase, I saw that it was necessary to use Azure AD pod-managed identities to do this, but now I found that this will be replaced by Azure AD workload identity
At this point, I'm a bit confused because the first one will be replaced, but the second one is not ready for production.
Any suggestions?
ATM Azure AD pod identities is the way to go. Azure workload identity will replace AAD Pod identity as you already mentioned bcs they will solve some limitations as you can read here. I think there will be a documentation how to migrate from AAD pod identity to Azure Workload identityas soon when they want GA.
You could also use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate Azure Key Vault with your AKS.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
We have some dotnet Core App Services running on Azure and using Azure key Vault with Managed Identities.
Planning to deploy these dotnet core services to azure kubernetes but I haven't found any relevant document/support to use AKV with Kubernetes Services. Any Guidance or references
There are a couple of options to access KV from AKS:
Use Azure Key Vault with FlexVol (deprecated. continue to use this for kubernetes version 1.15)
With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using a FlexVolume. The FlexVolume driver lets the AKS cluster natively retrieve credentials from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Key Vault FlexVol driver onto the AKS nodes. You can use a pod managed identity to request access to Key Vault and retrieve the credentials you need through the FlexVolume driver.
Azure Key Vault with FlexVol is intended for use with applications and services running on Linux pods and nodes.
Use Azure Key Vault Provider for Secrets Store CSI Driver (For kubernetes 1.16+)
The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume.
Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)
Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate managed identities for Azure resources and identities in Azure AD with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider.
I found the pod identity approach easier as you don't need to change your code.
Basically I have a setup where I have
Hub-Spoke subscription and vnet topology in azure.
AAD for internal users and developer access and b2c for external
users.
AAD and Keyvault are in HUB subscription/VNET.
APIs which are deployed in Azure AKS clusters are in the spoke subscription.
Also have API Management fronting the APIs which is in the same
subscription and VNET as the AKS/APIs so in the Spoke subscription
Given the setup above, I have these questions
Do all the APIs, API management, Keyvault and Azure AD need to be
tied to the same subscription or can I have Keyvault in my hub
subcription and other services in different subscriptions.
Do we register each API as an app in the same AAD as
KEYVAULT or can we just register the API management and use API
management to get the secrets.
Can we use managed service identity, even if the components are in
different subscriptions but registered with the same Azure AD
Authentication in Azure is done at a tenant level, so presuming you're not using the advanced services for Key Vault (ARM access, VM encryption etc) you can have your Key Vault in one subscription and access that from MSI in a difference subscription - as long as you grant that MSI user permissions to the key vault.
As long as you grant permissions to the resource, AAD has very little awareness of subscriptions (subscriptions are basically one big resource that you can grant privileges to)
Edited to clarify advanced access policies
There are three advanced access policies for key vault.
enabledForDeployment
enabledForDiskEncryption
enabledForTemplateDeployment
the enabledForTemplateDeployment policy only applies if you are reading a secret from an ARM template deployment. i.e. if you are passing a VM password directly from Key vault.
For your situation, if this is a requirement, then you could simply have those being placed in a different key vault located in the same subscription.
We have a VSTS Azure Resource Manager Service Endpoint that uses a Service Principal to connect to Azure. This service principal was created manually. I was wondering if this service principle is impacted by the Azure AD signing key roll over and whether it will handle it automatically.
If you are using a service principal created through VSTS, there shouldn't be a problem. If it's created another way, you'll want to check this article from the Azure team about the rollover.