How-To: Mount an Azure Key Vault as a volume to a container

Learn how to mount an Azure Key Vault as a volume to a container
Categories:
Tags:

This how-to guide will provide an overview of how to:

  • Setup a Radius Environment with an identity provider
  • Define a connection to an Azure resource with Azure AD role-based access control (RBAC) assignments
  • Leverage Azure managed identities to connect to an Azure resource
  • Mount a Key vault as a volume to a container

Prerequisites

Step 1: Initialize Radius

Begin by running rad init --full. Make sure to configure an Azure cloud provider:

rad init --full

Step 2: Define a Radius Environment

Create a file named app.bicep and define a Radius Environment with the identity property set:

import radius as rad

@description('The Azure region to deploy Azure resource(s) into. Defaults to the region of the target Azure resource group.')
param azLocation string = resourceGroup().location

@description('Specifies the environment for resources.')
param oidcIssuer string

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'kv-volume-quickstart'
  properties: {
    compute: {
      kind: 'kubernetes'
      namespace: 'kv-volume-quickstart'
      resourceId: 'self'
      identity: {
        kind: 'azure.com.workload'
        oidcIssuer: oidcIssuer
      }
    }
    providers: {
      azure: {
        scope: resourceGroup().id
      }
    }
  }
}

Step 3: Define an app, Key Vault, and volume

Add a Radius Application, an Azure Key Vault, and a Radius volume which uses the Key Vault to your app.bicep file:

resource app 'Applications.Core/applications@2023-10-01-preview' = {
  name: 'myapp'
  properties: {
    environment: env.id
  }
}

resource volume 'Applications.Core/volumes@2023-10-01-preview' = {
  name: 'myvolume'
  properties: {
    application: app.id
    kind: 'azure.com.keyvault'
    resource: keyvault.id
    secrets: {
      mysecret: {
        name: 'mysecret'
      }
    }
  }
}

resource keyvault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: 'kvqs-${uniqueString(resourceGroup().id)}'
  location: azLocation
  properties: {
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
  }

  resource mySecret 'secrets' = {
    name: 'mysecret'
    properties: {
      value: 'supersecret'
    }
  }
}

Step 4: Define an app, Key Vault, and volume

Now add a Radius container with a volume mount for the Radius volume:

resource container 'Applications.Core/containers@2023-10-01-preview' = {
  name: 'mycontainer'
  properties: {
    application: app.id
    container: {
      image: 'debian'
      command: ['/bin/sh']
      args: ['-c', 'while true; do echo secret context : `cat /var/secrets/mysecret`; sleep 10; done']
      volumes: {
        volkv: {
          kind: 'persistent'
          source: volume.id
          mountPath: '/var/secrets'
        }
      }

    }
  }
}

Step 5: Deploy the app

Deploy your app, specifying the OIDC issuer URL. To retrieve the OIDC issuer URL, follow the Azure Workload Identity installation guide.

rad deploy ./app.bicep -p oidcIssuer=<OIDC_ISSUER_URL>

Step 5: Verify access to the mounted Azure Key Vault

  1. Once deployment completes, read the logs from your running container resource:

    rad resource logs containers mycontainer -a myapp

  2. You should see the contents of the /var/secrets mount path defined in your app.bicep file:

    [myapp-mycontainer-d8b4fc44-qrhnn] secret context : supersecret

    Note: You might need to wait 1-2 minutes for the pods and identities to be set up completely. Retry in a few minutes if you are unable to view the secret contents.

Cleanup

  1. Run the following command to delete your app and container:

    rad app delete myapp --yes

  2. Delete the deployed Azure Key Vault via the Azure portal or the Azure CLI