How-To: Mount an Azure Key Vault as a volume to a container
Categories:
This how-to guide will provide an overview of how to:
- Setup a Radius Environment with an identity provider
- Define a connection to an Azure resource with Azure AD role-based access control (RBAC) assignments
- Leverage Azure managed identities to connect to an Azure resource
- Mount a Key vault as a volume to a container
Prerequisites
- rad CLI
- Bicep VSCode extension
- Supported Kubernetes cluster
- Azure AD Workload Identity installed on your cluster
- Azure Keyvault Provider
- The above installation will also install the required Secrets Store CSI Driver
Step 1: Initialize Radius
Begin by running rad init --full
. Make sure to configure an Azure cloud provider:
rad init --full
Select ‘No’ when asked to setup application in the current directory.
Step 2: Create a bicepconfig.json
in your application’s directory
- Create a
bicepconfig.json
in your application’s directory.release-version
should correspond to the current release version in the form ofmajor.minor
(e.g.0.36
).
{
"experimentalFeaturesEnabled": {
"extensibility": true,
"extensionRegistry": true,
"dynamicTypeLoading": true
},
"extensions": {
"radius": "br:biceptypes.azurecr.io/radius:<release-version>",
"aws": "br:biceptypes.azurecr.io/aws:<release-version>"
}
}
More information on how to setup a bicepconfig.json
can be found here
Step 3: Define a Radius Environment
Create a file named app.bicep
and define a Radius Environment with the identity property set:
extension radius
@description('The Azure region to deploy Azure resource(s) into. Defaults to the region of the target Azure resource group.')
param azLocation string = resourceGroup().location
@description('Specifies the environment for resources.')
param oidcIssuer string
resource env 'Applications.Core/environments@2023-10-01-preview' = {
name: 'kv-volume-quickstart'
properties: {
compute: {
kind: 'kubernetes'
namespace: 'kv-volume-quickstart'
resourceId: 'self'
identity: {
kind: 'azure.com.workload'
oidcIssuer: oidcIssuer
}
}
providers: {
azure: {
scope: resourceGroup().id
}
}
}
}
Step 4: Define an app, Key Vault, and volume
Add a Radius Application, an Azure Key Vault, and a Radius volume which uses the Key Vault to your app.bicep
file:
resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'myapp'
properties: {
environment: env.id
}
}
resource volume 'Applications.Core/volumes@2023-10-01-preview' = {
name: 'myvolume'
properties: {
application: app.id
kind: 'azure.com.keyvault'
resource: keyvault.id
secrets: {
mysecret: {
name: 'mysecret'
}
}
}
}
resource keyvault 'Microsoft.KeyVault/vaults@2021-10-01' = {
name: 'kvqs-${uniqueString(resourceGroup().id)}'
location: azLocation
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
enableRbacAuthorization: true
}
resource mySecret 'secrets' = {
name: 'mysecret'
properties: {
value: 'supersecret'
}
}
}
Step 5: Define an app, Key Vault, and volume
Now add a Radius container with a volume mount for the Radius volume:
resource container 'Applications.Core/containers@2023-10-01-preview' = {
name: 'mycontainer'
properties: {
application: app.id
container: {
image: 'debian'
command: ['/bin/sh']
args: ['-c', 'while true; do echo secret context : `cat /var/secrets/mysecret`; sleep 10; done']
volumes: {
volkv: {
kind: 'persistent'
source: volume.id
mountPath: '/var/secrets'
}
}
}
}
}
Step 6: Deploy the app
Deploy your app, specifying the OIDC issuer URL. To retrieve the OIDC issuer URL, follow the Azure Workload Identity installation guide.
rad deploy ./app.bicep -p oidcIssuer=<OIDC_ISSUER_URL>
Step 7: Verify access to the mounted Azure Key Vault
-
Once deployment completes, read the logs from your running container resource:
rad resource logs containers mycontainer -a myapp
-
You should see the contents of the
/var/secrets
mount path defined in yourapp.bicep
file:[myapp-mycontainer-d8b4fc44-qrhnn] secret context : supersecret
Note: You might need to wait 1-2 minutes for the pods and identities to be set up completely. Retry in a few minutes if you are unable to view the secret contents.
Cleanup
-
Run the following command to delete your app and container:
rad app delete myapp --yes
-
Delete the deployed Azure Key Vault via the Azure portal or the Azure CLI
Feedback
Was this page helpful?
Glad to hear it! Please feel free to star our repo and join our Discord server to stay up to date with the project.
Sorry to hear that. If you would like to also contribute a suggestion visit and tell us how we can improve.