azure kubernetes ingress can't acces key vault's certificate

Giorgi Kurdadze 0 Reputation points
2023-11-13T16:40:27.4233333+00:00

Okay I have azure kubernetes service with running dockerized app, with ingress(I used creating ingress (preview))
everything works fine except certificate, I created key vault, inside uploaded certificate to use for domain, I have "Azure role-based access control (recommended)" checked, in access controll I added my cluster in roles like this, Assign access to Managed identity > cluster > role => "Key Vault Certificates Officer".

from terminal I can access that certificate, I checked everything and all is ok. but it just keeps saying

Error getting SSL certificate "default/keyvault-ingress": local SSL certificate default/keyvault-ingress was not found. Using default certificate

and running this: kubectl describe ingress django-ingress -n default I get

Warning  FailedMount  9m9s  aks-app-routing-operator  MountVolume.SetUp failed for volume "secrets" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod default/keyvault-ingress-dvljx, err: rpc error: code = Unknown desc = failed to mount objects, error: failed to get objectType:secret, objectName:keyvault-ingress, objectVersion:: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=64131d23-3521-43b2-b65e;oid=4f40e8b1-d304-4c31;iss=https://sts.windows.net/91837362-3258/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/SUB/resourcegroups/myresource/providers/microsoft.keyvault/vaults/keyvaults/secrets/keyvault-ingress'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: GAKEY;location=eastus\r\n" InnerError={"code":"ForbiddenByRbac"}

I even granted OWNER as role to that cluster in that key vault but with no success, and when I change Permission model to Vault access policy then it starts working

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
708 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,961 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patricia Silva 0 Reputation points Microsoft Employee
    2024-05-08T09:49:50.1333333+00:00

    Hi,

    in AKS in order to use secrets/certificates from keyvault you can consider using the keyvault secret store provider available: https://video2.skills-academy.com/en-gb/azure/aks/csi-secrets-store-driver
    This allows you to mount the secrets in your applications reading them directly from the key vault.

    0 comments