Skip to content

Latest commit

 

History

History
39 lines (28 loc) · 1.71 KB

read-from-keyvault.md

File metadata and controls

39 lines (28 loc) · 1.71 KB
Raw

Read storage account key(or sastoken) from Azure Key Vault

Prerequisite

  1. Create an Azure Key Vault

  2. Store storage account key or SAS token as secret in Azure Key Vault.

  3. Ensure service principal in cluster has all the required permissions to access content in your Azure key vault instance. If not, run the following commands:

    # Assign Reader Role to the service principal for your keyvault
aadclientid=
keyvaultname=

az role assignment create --role Reader --assignee $aadclientid --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/$keyvaultname

az keyvault set-policy -n $keyvaultname --key-permissions get --spn $aadclientid
az keyvault set-policy -n $keyvaultname --secret-permissions get --spn $aadclientid
az keyvault set-policy -n $keyvaultname --certificate-permissions get --spn $aadclientid

Install Azure Blob Storage CSI driver on a kubernetes cluster

Please refer to install Azure Blob Storage CSI driver

Create PV

  1. Download a pv-blobfuse-csi-keyvault.yaml, edit keyVaultURL, keyVaultSecretName, containerName in PV

keyVaultSecretVersion is the optional parameter. If not specified, it will be current version.

wget https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/pv-blobfuse-csi-keyvault.yaml
vi pv-blobfuse-csi-keyvault.yaml
kubectl apply -f pv-blobfuse-csi-keyvault.yaml

Create PVC

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/pvc-blob-csi-static.yaml