HOWTO: ESO and Azure Key Vault Secrets

Purpose: Configure ESO to consume secrets from Azure Key Vault with rotation lifecycle and Kubernetes Secret synchronisation.

Difficulty: Intermediate

Track: Security & Secrets

---

Overview

External Secrets Operator bridges Azure Key Vault and Kubernetes Secrets, enabling platform workloads to consume AKV-managed secrets without embedding credentials in manifests. This HOWTO covers both authentication paths (managed identity for Azure-hosted clusters, service principal for hybrid/on-prem), the SecretStore and ExternalSecret resource definitions, and the rotation lifecycle that keeps Kubernetes Secrets in sync as AKV versions change.

---

1. Authentication Configuration

• Choose managed identity (preferred for Azure-hosted clusters) or service principal.
• Configure the AKV access policy or RBAC assignment for the ESO identity.

2. SecretStore Definition

• Create the SecretStore or ClusterSecretStore resource referencing the AKV vault URL.
• Validate the store status confirms a healthy provider connection.

3. ExternalSecret Configuration

• Define ExternalSecret resources mapping AKV secret names to Kubernetes Secret keys.
• Set refreshInterval aligned with the rotation policy in ADR-0502.

4. Rotation Lifecycle Validation

• Rotate a test secret in AKV.
• Confirm the Kubernetes Secret is updated within the configured refresh interval.
• Review ESO controller logs confirming the sync event.

---

References

• HOWTO: Sync Secrets to Google Secret Manager
• HOWTO: Bootstrap Vault Secrets

---

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.