Kubernetes secrets in .NET configuration, from Azure Key Vault


If you have a .NET app deployed in Azure Kubernetes, you will probably want to load your secrets from an Azure Key Vault, and you will probably arrive at this guide from MSDN - "Tutorial: Configure and run the Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes":


After you manage to get everything working, this guide leaves you with being able to read the secrets in your Kubernetes pod, with commands like:

kubectl exec nginx-secrets-store-inline -- ls /mnt/secrets-store/


kubectl exec nginx-secrets-store-inline -- cat /mnt/secrets-store/secret1

But how can you easily load these secrets in your .NET app's configuration, and make them apply over the other appsettings?


It turns out that, after following the guide, your Kubernetes pod is able to connect to and get secrets from the key vault without supplying any other credentials, so you can use code like this:

// using Azure.Security.KeyVault.Secrets;
// using Azure.Identity;
// using Azure.Extensions.AspNetCore.Configuration.Secrets;

public static IHostBuilder CreateHostBuilder(string[] args) =>
        .ConfigureAppConfiguration((context, config) =>
            if (context.HostingEnvironment.IsProduction())
                var builtConfig = config.Build();
                var secretClient = new SecretClient(
                    new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                    new DefaultAzureCredential());
                config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
        .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());

This code was taken from this page, you can read the linked section for more information: https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0#use-managed-identities-for-azure-resources

One more thing I needed to do to make this work, I needed to give my pod's identity list rights to the key vault.

The guide is, at some point, giving get rights:

az keyvault set-policy -n contosoKeyVault5 --secret-permissions get --spn $clientId

So you need to also run:

az keyvault set-policy -n contosoKeyVault5 --secret-permissions list --spn $clientId

That's it.

I actually ended up not using entire parts of the guide, all those things with the Secrets Store CSI driver and the mounted volume; I just used the parts with creating the Azure identity, its associated Kubernetes resources, and giving it rights.

Author: Dan Dumitru
Last Edit: July 8, 2021
Last Edit July 8, 2021
Created July 8, 2021

Pay it forward!

Did this solution help you?
You can pay it forward and write a solution here yourself, when you have one, helping future Googlers like you... >> read more

Your Comment

Feel free to post additional info or improvement suggestions.
Optional, never shown, displays gravatar.

Formatting Tips

This editor uses Markdown to easily add code in your posts.

Triple backticks for full line(s) of code (or indent 4 spaces)

let foo = 'bar';

[link text](http://a.com)

*italic* **bold**

More Tips