Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: explain how to use pod identity for Azure Key Vault #970

Merged
merged 2 commits into from
Nov 4, 2022
Merged

feat: explain how to use pod identity for Azure Key Vault #970

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d84e70c
feat: explain how to use pod identity for Azure Key Vault
JorTurFer Nov 4, 2022
1fbe409
Update content/docs/2.9/authentication-providers/azure-key-vault.md
JorTurFer Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions content/docs/2.9/authentication-providers/azure-key-vault.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ You can pull secrets from Azure Key Vault into the trigger by using the `azureKe

The `secrets` list defines the mapping between the key vault secret and the authentication parameter.

Currently pod identity providers are not supported for key vault.
Currently, `azure` and `azure-workload` pod identity providers are supported for Azure Key Vault using `podIdentity` inside `azureKeyVault`.

You need to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specify its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.
Service principal authentication is also supported, needing to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specifying its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.

Ensure that "read secret" permissions have been granted to the Azure AD application on the Azure Key Vault. Learn more in the Azure Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).

Expand All @@ -19,7 +19,10 @@ The `cloud` parameter can be used to specify cloud environments besides `Azure P
```yaml
azureKeyVault: # Optional.
vaultUri: {key-vault-address} # Required.
credentials: # Required.
podIdentity: # Optional.
provider: azure | azure-workload # Required.
identityId: <identity-id> # Optional
credentials: # Optional.
clientId: {azure-ad-client-id} # Required.
clientSecret: # Required.
valueFrom: # Required.
Expand Down