Passwordless AKS Secrets: Sync Azure Key Vault with ESO +…

Guide to sync Azure Key Vault secrets into AKS using External Secrets Operator with Workload Identity. Covers enabling OIDC, creating a user-assigned managed identity and federated credential, SecretStore and ExternalSecret configs, Key Vault RBAC, validation, and operational best practices.

Managing Kubernetes secrets manually is error-prone across namespaces and environments. Azure Key Vault can now be synced into AKS via External Secrets Operator with Workload Identity.

Main feature/change and impact

This approach uses a User-Assigned Managed Identity federated to a Kubernetes Service Account via AKS OIDC. ESO reads secrets from Azure Key Vault and writes them as Opaque Kubernetes Secrets. Applications can continue using existing Rancher Secret names when names match, eliminating embedded client credentials and reducing secret sprawl and operational risk.

Practical implications

You must enable AKS OIDC issuer and workload identity on the cluster. Create a UAMI, annotate a namespace Service Account with the clientId, and add a federated identity credential. Grant Key Vault Secrets User role to the UAMI and create an ESO SecretStore configured for Workload Identity. ExternalSecret CRs then sync vault values into Kubernetes on the defined refresh interval.

“No code change” strategy

This pattern removes storing client secrets in code and configuration. It supports pattern-based sync with regex, or full vault sync, and preserves existing secret names. Monitor ESO health and Kubernetes Secret creation with kubectl get secretstore and kubectl get externalsecret. Adjust refresh intervals to balance rotation needs and Key Vault throttling. Troubleshoot by verifying federated credential subjects and Key Vault role assignments. Next steps: enable workload identity, deploy ESO, and test a small namespace sync. Validate Service Account annotations, federated credentials, and Key Vault permissions before scaling this pattern.

Key points from the article:

Use UAMI federated to Kubernetes ServiceAccount via AKS OIDC.

ESO reads Key Vault and writes Opaque Kubernetes Secrets.

SecretStore config must reference vaultUrl and WorkloadIdentity auth.

Assign Key Vault Secrets User role to the UAMI at vault scope.

Validate OIDC enabled, ServiceAccount annotation, and federated credential exist.

Related Coverage:

• AZD for Beginners: A Practical Introduction to Azure Developer CLI
• Create historical reports using Azure Log analytics and Microsoft Intune diagnostic data
• Building sovereign AI at the edge: Microsoft and Armada collaborate to deliver Azure Local on Galleon modular datacenters

From the Microsoft Developer Community Blog articles

---