Preparing Service Principal
Creating Service Principal
Operator needs a Service Principal to get secrets from Azure KeyVault. By executing the following commands, you can create a service principal without any assignment.
Please edit the value of SP_NAME variable, if you want to change name of the service principal to be created.
SP_NAME="kubernetes-azure-keyvault-secret-operator"
#create service principal and get its secret (do not keep anywhere, it includes sensitive data!)
SP_CLIENTSECRET="$(az ad sp create-for-rbac --skip-assignment --name $SP_NAME --query 'password' -otsv)"
#get its appId/clientId
SP_CLIENTID="$(az ad sp list --display-name $SP_NAME --query '[0].appId' -otsv)"
#get tenantId of subscription
TENANTID="$(az account show --query 'tenantId' -otsv)"
Authorizing for KeyVault
The service principal which is used by operator needs to have sufficient permission to get secrets from Azure KeyVault. Following command provides a way to authorize the service principal to KeyVault both of created before.
warning
Azure service principal is an identity created to access Azure resources. Azure KeyVault Secret Operator needs a service principal which authorized only for get secret-permission. Do not use any service principal which is be able to do more than that.az keyvault set-policy --name $KV_NAME --spn $SP_CLIENTID --secret-permissions get
Creating Service Principal Secret
Until now, you created service principal and authorized it to KeyVault. Before operator is installed, you need to create a kubernetes secret which will be used by operator.
You can change SECRET_NS and SECRET_NAME variables which represents namespace and name of to be created secret.
SECRET_NS="default"
SECRET_NAME="azure-service-principal"
kubectl create secret generic $SECRET_NAME \
--from-literal=clientid=$SP_CLIENTID \
--from-literal=clientsecret=$SP_CLIENTSECRET \
--from-literal=tenantid=$TENANTID \
--namespace $SECRET_NS
