Skip to content

4. Secrets integration


This guide walks you through setting up the CSI Secret Driver for Azure, allowing Kubernetes to use secrets stored in Azure Key Vault using a user-assigned managed identity.


CSI Secret Store Driver configuration

  1. Access Your Key vault

    • In your managed resource group (eg. mrg-kubernetes-by-fortytwo-xxxx if you are using the default values). Locate the Key vault resource type in the resource list and click it.
  2. Update IAM Settings

    • Go to Access control (IAM) section of your Key vault and click + Add and Add role assignment.
    • Select the Key Vault Secrets Officer role and click Next.
    • Click the Select members button and find your own user in the list.
    • Click Next and then Review + assign to save the changes.
  3. Add your IP address to the Key vault firewall

    • Find your own IP address (eg. by using and copy it to your clipboard.
    • Go to the Networking section in the left menu under Settings.
    • Under Firewall click + Add your client IP address
    • Paste in your IP address in the list and click Apply to apply the changes.
  4. Add Secrets to Key vault

    • Click Secrets in the left menu in your Key vault.
    • Click on + Generate/Import to add new secrets.
    • Enter the secret name secret1 and some random secret value.
    • Click Create to save the secret in the Key vault.
  5. Configure Kubernetes to Use Azure Key Vault with User-Assigned Managed Identity

    • Copy and paste the following code in your terminal, which utilizes a user-assigned managed identity to access your Key vault. Replace <key-vault-name>, <tenant-id>, and <client-id> with your own values.
    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Namespace
      name: workloads
    kind: SecretProviderClass
      name: azure-kvname-user-msi
      namespace: workloads
      provider: azure
        usePodIdentity: "false"
        useVMManagedIdentity: "true"
        userAssignedIdentityID: <managed-identity-client-id>   # Replace with the clientID of the managed identity
        keyvaultName: <keyvault-name>                          # Replace with your Key Vault name
        objects:  |
            - |
              objectName: secret1
              objectType: secret
              objectVersion: ""
        tenantId: <tenant-id>                                  # Replace with your Azure tenant ID
    • Finding Tenant ID:
      • In your Key vault, click the "Overview" and look for the "Directory ID" in the "Essentials" section.
    • Finding Managed Identity:
      • The managed identity client-id can be found in the Azure portal under the resource type "Managed Identity". Its name typically follows the format azurekeyvaultsecretsprovider-{cluster-name}.


After following these steps, the CSI Secret Driver will be configured in your Kubernetes cluster using Azure Key Vault with a user-assigned managed identity.

Next steps