Loading...

GA: Azure Key Vault secrets provider extension for Arc enabled Kubernetes clusters

GA: Azure Key Vault secrets provider extension for Arc enabled Kubernetes clusters

The Azure Arc team is happy to announce the GA of Azure Key Vault Secrets Provider extension for Arc enabled Kubernetes clusters. This is a Microsoft managed extension that allows you to get secret contents stored in an Azure Key Vault instance and mount them into Kubernetes pods of your Azure Arc enabled Kubernetes clusters, thereby reducing the exposure of secrets to the minimum. It can pull any type of object from an Azure Key Vault, including keys, secrets and certificates.

 

The extension is installed by a cluster admin. With the installation, Secrets Store CSI driver and AKV secrets provider are deployed as daemon sets. On application pod start and restart, the Secrets Store CSI driver communicates with the Azure Key Vault secrets provider using gRPC to retrieve the secret content from the Azure Key Vault.  Then the volume is mounted in the pod as tmpfs and the secret contents are written to the volume. On pod delete, the corresponding volume is cleaned up and deleted.

 

CSI driver Interface.png

 

This extension can be deployed using az k8s-extension CLI and also using Azure Portal. For deployment through portal, go to the Arc connected Kubernetes cluster and click on Extensions under Settings. Further, click on +Add to add Azure Key Vault Secrets Provider extension. Check out the full documentation on how to enable it for an Arc enabled Kubernetes cluster. 

 

The extension allows for 3 configuration options:

  1. Secret Rotation - Periodically update the pod mount with the latest secret from the AKV secrets store. The polling of latest secret does not require pod restart. It is disabled by default.
  2. Rotation Poll Interval - Frequency of the pod mount update if Secret Rotation configuration is enabled. The default is 2 minutes.
  3. Sync as Kubernetes secret - Create Kubernetes secret(s) to mirror the mounted content. It is disabled by default.

A service principal is required to enable the access to Azure Key Vault from within the Arc cluster. Further, a Kubernetes secret needs to be created in the application namespace that references this service principal in order to gain access to the vault. 

 

What next?

The identity option available today is service principal. However, we are investing in using workload identity as another option in future.

 

Learn more at the Azure Hybrid, Multicloud, and Edge Day digital event

We will be hosting our annual Azure Hybrid, Multicloud, and Edge Day digital event on June 15, 2022. You’ll hear from Microsoft leadership and engineers on how you can innovate anywhere with Azure Arc, learn from customers using Azure solutions for their hybrid scenarios, and get to ask questions in the live Q&A chat. Register now >

Published on:

Learn more
Azure Arc Blog articles
Azure Arc Blog articles

Azure Arc Blog articles

Share post:

Related posts

Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)

We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...

21 hours ago

See our new Azure Cosmos DB Design Patterns

Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...

1 day ago

Need a different partition key in Azure Cosmos DB? Pick the right approach

Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...

1 day ago

Azure SDK Release (June 2026)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...

2 days ago

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

5 days ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

6 days ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

6 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

8 days ago

Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB

The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...

9 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy