1

I am trying to use secret store component with Azure Keyvault in my Azure Kubernetes Cluster. I setup exactly following the "https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/" but I am not able to retrieve the secrets. When I change the secretstore to local file or kubernetes secrets everything works fine. With Azure key vault I am getting the following error:

{
"errorCode": "ERR_SECRET_GET",
"message": "failed getting secret with key {keyName} from secret store {storename}: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://{vault url}/secrets/{secret key}/?api-version=2016-10-01: StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: getting assigned identities for pod {podname} in CREATED state failed after 16 attempts, retry duration [5]s. Error: <nil>\n"
}

I verified that the Client secret I am using is correct. Can anyone please point me to right direction ?

LiveSK
  • 41
  • 2
  • 2

1 Answers1

0

The error indicates that the service principal does not have access to get the secrets from the key vault

You can use System Assigned Managed Identity for the AKS pod and add the access policy to read the key vault secrets

Also, you can use Service Principal with access policy to read the key vault secrets or Key Vault Crypto Officer role so that you can fetch the key vault secrets

Reference: Azure Key Vault secret store | Dapr Docs

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11
  • I tried to Bash into the AKD POD and then curl to get the OAuth Token and Secret using the same service principal I was able to get it. Its just not working with Dapr. – LiveSK Dec 29 '21 at 21:32
  • Have you tried this: https://docs.dapr.io/developing-applications/integrations/azure/authenticating-azure/ – RamaraoAdapa Dec 30 '21 at 04:42