Azure Key Vault volume
Learn about Radius persistent Azure Key Vault volumes
Radius supports mounting an Azure Key Vault as a persistent volume to the container using the Azure KeyVault CSI Driver.
Prerequisites
- Azure Key Vault CSI Driver installed on your cluster
- Azure AD Workload Identity installed on your cluster
azure.com.workloadidentity configured on your environment- Your Azure Key Vault access policy should be set to Azure role-based access control
Resource format
resource volume 'Applications.Core/volumes@2023-10-01-preview' = {
name: 'myvolume'
properties: {
application: app.id
kind: 'azure.com.keyvault'
resource: keyvault.id
secrets: {
mysecret: {
name: 'secret1' // required
version: '1' // optional, defaults to latest version
alias: 'secretalias' // optional, defaults to secret name (mysecret)
encoding: 'utf-8' // optional, defaults to utf-8
}
}
certificates: {
mycertificate: {
name: 'cert1' // required
version: '1' // optional, defaults to latest version
alias: 'certificatealias' // optional, defaults to certificate name (mycertificate)
encoding: 'base64' // optional, defaults to utf-8, only available when value is privatekey
certType: 'privatekey' // required
format: 'pem' // optional, defaults to pfx
}
}
keys: {
mykey: {
name: 'key1' // required
version: '1' // optional, defaults to latest version
alias: 'keyalias' // optional, defaults to key name (mycertificate)
}
}
}
}
Properties
The following properties are available on the Volume resource to which the container attaches:
| Key | Required | Description | Example |
|---|---|---|---|
| kind | y | The kind of persistent volume. Should be ‘azure.com.keyvault’ for Azure Key Vault persistent volumes | 'azure.com.keyvault' |
| resource | n | Resource ID for the Azure KeyVault resource. | 'kv.id', '/subscriptions/<subscription>/resourceGroups/<rg/providers/Microsoft.KeyVault/vaults/<keyvaultname>' |
| secrets | n | Map specify secret object name and secret properties. See secret properties | mysecret: { |
| keys | n | Map specify key object name and key properties. See key properties | mykey: { |
| certificates | n | Map specify certificate object name and [certificate properties]. See certificate properties | mycert: { |
Secrets
| Key | Description | Required | Example |
|---|---|---|---|
| name | secret name in Azure Key Vault | true | 'mysecret' |
| version | specific secret version. Default is latest | false | '1234' |
| encoding | encoding format ‘utf-8’, ‘hex’, ‘base64’. Default is ‘utf-8’ | false | 'bas64' |
| alias | file name created on the disk. Same as objectname if not specified | false | 'my-secret' |
Keys
| Key | Description | Required | Example |
|---|---|---|---|
| name | key name in Azure Key Vault | true | 'mykey' |
| version | specific key version. Default is latest | false | '1234' |
| alias | file name created on the disk. Same as objectname if not specified | false | 'my-key' |
Certificates
| Key | Description | Required | Example |
|---|---|---|---|
| name | certificate name in Azure Key Vault | true | 'mycert' |
| value | value to download from Azure Key Vault ‘privatekey’, ‘publickey’ or ‘certificate’ | true | 'certificate' |
| version | specific certificate version. Default is latest | false | '1234' |
| encoding | encoding format ‘utf-8’, ‘hex’, ‘base64’. Default is ‘utf-8’ and this field can be specificed only when value is ‘privatekey’ | false | 'bas64' |
| alias | file name created on the disk. Same as objectname if not specified | false | 'my-cert' |
| format | certificate format ‘pfx’, ‘pem’. Default is ‘pfx’ | false | 'my-cert' |
Feedback
Was this page helpful?
Glad to hear it! Please feel free to star our repo and join our Discord server to stay up to date with the project.
Sorry to hear that. If you would like to also contribute a suggestion visit and tell us how we can improve.