Securely access Azure Key Vault secrets from a Python application running in Azure Kubernetes Service (AKS) using Microsoft Entra Workload Identity (federated identity).
- Native Kubernetes support with Entra Workload Identity
- Fine-grained, per-pod identity access to Key Vault
- Python SDK integration (
azure-identity,azure-keyvault-secrets) - Dockerized application
- Kubernetes YAML deployment with secure identity annotation
aks-keyvault-python/
βββ app.py # Python script to fetch Key Vault secret
βββ Dockerfile # Docker build for the app
βββ serviceaccount.yaml # Kubernetes SA annotated with client ID
βββ deployment.yaml # Deployment pointing to container image
βββ HOWTO.md # Full CLI walkthrough with setup and teardown
βββ README.md # Project overview and quick start guide
- Azure CLI (
az) - Docker & kubectl
aks-previewextension installed- Azure subscription with Owner role
git clone https://github.com/<your-org>/aks-keyvault-python.git
cd aks-keyvault-python
docker build -t <acr>.azurecr.io/kv-reader:v1 .
docker push <acr>.azurecr.io/kv-reader:v1kubectl apply -f serviceaccount.yaml
kubectl apply -f deployment.yaml- AKS is created with OIDC issuer + workload identity
- A user-assigned managed identity is federated to a Kubernetes ServiceAccount
- Python app uses
DefaultAzureCredential()which detects the projected token and authenticates to Azure - Secret is pulled from Key Vault and logged in the pod
See HOWTO.md for:
- CLI commands to create the AKS cluster, managed identity, federated credentials
- Key Vault setup and RBAC config
- ACR build & deployment
- Cleanup commands
az group delete --name <resource-group> --yes --no-waitMIT License β free to use and modify.