secrets-store-csi-driver-provider-azure: The key vault is not accessible in the deployment

I have gone through the standard walk trough mentioned in the Readme of this repo.Link

The key vault is not accessible


PS C:\Users\UReddy> kubectl get pods
NAME                                                              READY   STATUS              RESTARTS   AGE
aad-pod-identity-mic-5f6576748f-68qgq                             1/1     Running             0          9h
aad-pod-identity-mic-5f6576748f-dxqbg                             1/1     Running             0          9h
aad-pod-identity-nmi-4xz5l                                        0/1     CrashLoopBackOff    122        9h
busybox-secrets-store-inline                                      0/1     ContainerCreating   0          3m32s
csi-secrets-store-provider-azure-1627329606-secrets-store-dkm89   3/3     Running             0          10h
csi-secrets-store-provider-azure-1627329606-v8scd                 1/1     Running             0          10h
nginx-secrets-store-inline                                        0/1     ContainerCreating   0          9h

All the versions are latest as I ran the commands today morning by creating a new cluster.


kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - name: busybox
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-kvname"
        nodePublishSecretRef:                       # Only required when using service principal mode
          name: secrets-store-creds                 # Only required when using service principal mode

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: default
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: "mykeytestingerwin"
    objects: |
      array:
        - |
          objectName: secret1              
          objectType: secret
          objectVersion: ""
    tenantId: "<mytenantid>"

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 29 (13 by maintainers)

Most upvoted comments

E0727 20:33:38.607864       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:default:secrets-store-csi-driver" cannot list resource "secrets" in API group "" at the cluster scope

@ukreddy-erwin The sync secret feature isn’t enabled. This is part of our troubleshooting guide: https://azure.github.io/secrets-store-csi-driver-provider-azure/troubleshooting/#failed-to-create-kubernetes-secret-errsecrets-is-forbidden-user-systemserviceaccountdefaultsecrets-store-csi-driver-cannot-create-resource-secrets-in-api-group--in-the-namespace-default and install instructions for sync secret feature: https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/sync-with-k8s-secrets/#how-to-sync-mounted-content-with-kubernetes-secret.

Please upgrade your helm release with --set secrets-store-csi-driver.syncSecret.enabled=true.

aramase on Jul 29, 2021