If you’re more comfortable using the Azure CLI, here’s how to set up an AKS cluster with Azure Key Vault integration using the Secrets Store CSI Driver, along with OIDC (OpenID Connect) support and Workload Identity. This is especially useful for secure, production-grade Kubernetes deployments.
✅ Step 1: Create an Azure Resource Group
az group create --name keyvault-demo --location eastus
This creates a logical container for your AKS resources.
🚀 Step 2: Create the AKS Cluster with Workload Identity and Azure Key Vault Integration
az aks create \
--name keyvault-demo-cluster \
--resource-group keyvault-demo \
--node-count 1 \
--enable-addons azure-keyvault-secrets-provider \
--enable-oidc-issuer \
--enable-workload-identity
⚙️ Explanation of Flags:
--enable-addons azure-keyvault-secrets-provider: Installs the CSI driver and Azure Key Vault provider addon.--enable-oidc-issuer: Enables the OIDC issuer URL for secure authentication with federated identity.--enable-workload-identity: Activates Azure Workload Identity (replacement for AAD Pod Identity).
🔐 Step 3: Get AKS Credentials for kubectl
az aks get-credentials \
--resource-group keyvault-demo \
--name keyvault-demo-cluster
This updates your local kubeconfig so you can interact with the new cluster.
🔍 Step 4: Verify CSI Driver and Azure Provider Pods
Make sure everything is running correctly:
kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver,secrets-store-provider-azure)' -o wide
You should see pods like:
secrets-store-csi-driver-*secrets-store-provider-azure-*
🔐 Bonus: Why Use Azure Key Vault with AKS?
- Centralized Secrets Management
- Automatic Secret Rotation
- No Secret Mounting in Code
- Secure Identity Binding with Workload Identity
This setup is cloud-native, secure, and production-ready.
