What is Azure Key Vault?
A cloud service called Azure Key Vault is used to safely store and retrieve secrets. Anything that you wish to strictly restrict access to, including cryptographic keys, certificates, passwords, or API keys, is considered a secret. Vaults and managed hardware security module (HSM) pools are the two container types that the Key Vault service offers. Software and HSM-backed keys, secrets, and certificates can be stored in vaults. Managed HSM pools are limited to supporting keys backed by HSM.
Azure Key Vault Secret Store extension for Kubernetes (“SSE”)
In Azure Arc-enabled Kubernetes clusters, retrieve secrets for offline access using the Secret Store extension.
Secrets from an Azure Key Vault are automatically synchronized to an Azure Arc-enabled Kubernetes cluster for offline access by the Azure Key Vault Secret Store extension for Kubernetes (“SSE”). This implies that even if your Kubernetes cluster is operating in a semi-disconnected state, you may still store, manage, and cycle your secrets using Azure Key Vault. Since synchronized secrets are kept in the cluster secret store, they can be utilized as Kubernetes secrets in all of the standard ways, such as being exposed as environment variables to a container in a pod or mounted as data volumes.
The SSE uses role-based access control (RBAC) regulations, segregated namespaces and nodes, and restricted permissions for the secrets synchronizer to protect synchronized secrets, which are vital business assets. Encrypt your cluster’s Kubernetes secret store for added security.
Azure Key Vault Secret Store Extension: Public Preview
Azure presented the Azure Key Vault Secret Store Extension (SSE) Public Preview for Arc-enabled on-premises Kubernetes, which includes both AKS-managed and self-connected clusters. For offline access, SSE automatically syncs secrets to the on-premises cluster from an Azure Key Vault. This implies that even if your Kubernetes cluster is operating in a semi-disconnected state, you may still store, manage, and cycle your secrets using Azure Key Vault.
Principal Advantages
- Offline Access: A lot of clusters operating at the periphery of production environments must be able to withstand sporadic connectivity. This includes maintaining access to secrets in the event that a pod restarts or a cluster goes offline. Secrets that are kept in the Kubernetes secret store are nevertheless accessible by workloads.
- Standard K8s Secret Access: The Kubernetes API, environment variables, or volume mounting can all be used to access secrets. Developers can choose how to access secrets, and workloads and ingress controllers don’t need to be modified to access Azure Key Vault.
- Security: To eliminate the need for cluster administrators to manually configure and restrict access, the Secret Store Extension (SSE) uses the most recent Kubernetes security features and has limited permissions. The Secret Store uses federated identities to access AKV, role-based access control (RBAC) policies, separated namespaces and nodes, and restricted permissions for the secrets synchronizer to protect synchronized secrets, which are vital corporate assets.
How to Utilize the Extension for the Secret Store
- Install the Secret Store Extension with configuration parameters like sync intervals on an Arc-enabled or AKS-managed on-premises cluster.
- Create a Kubernetes service account and federate it with an Azure managed identity that can read secrets from AKV.
- Set up a cluster’s secret provider class custom resource (CR) with the Key Vault’s connection information.
- To synchronize each secret, set up a secret sync custom resource (CR) in the cluster.
- When the cluster’s CRs are applied, secrets will start synchronizing automatically at the default or chosen sync interval.
Take a Look at the Secret Store Extension Now!
- Visit this documentation to get started.
- Give our team some feedback here.
Azure Key Vault cost
Select the Azure account that best suits your needs.
Try Azure for free for up to 30 days or pay as you go. You can cancel at any moment; there is no upfront obligation.
Azure free account
Ideal for exploring capabilities and proof of concept
- Only new Azure customers can access it.
- For a whole year, 20+ popular services are free each month (new Azure customers only).
- Free monthly sums for more than 65 services that are always free
- access to the entire service catalog up to $200 in credit and free quantities
- Spending protection: no charges will be made to your credit card
- No commitment up front—cancel at any moment
- After the 30-day period has passed or the credit has been used up, switch to pay-as-you-go pricing.
Pay as you go
Ideal for clients who are prepared to begin adding workloads.
- For a whole year, 20+ popular services are free each month (new Azure customers only).
- Free monthly sums for more than 65 services that are always free
- Access to the entire service portfolio with no use restrictions
- Options for technical support
- No commitment up front—cancel at any moment
- No action is necessary to continue beyond 30 days.
Keep keys and other secrets safe and under control.
Azure subscribers may protect and manage cryptographic keys and other secrets used by cloud apps and services using Azure Key Vault. There are two kinds of containers offered by Azure Key Vault:
- Cryptographic keys, secrets, certificates, and storage account keys are all kept and managed in these vaults.
- HSM-backed cryptographic keys are stored and managed in a managed HSM pool.
Vaults
Vaults are offered in two service tiers—standard and premium.
Standard | Premium | |
---|---|---|
Secrets operations | $0.03/10,000 transactions | $0.03/10,000 transactions |
Certificate operations | Renewals—$3 per renewal request. All other operations—$0.03/10,000 transactions | Renewals—$3 per renewal request. All other operations—$0.03/10,000 transactions |
Managed Azure Storage account key rotation (in preview) | Free during preview. General availability price — $1 per renewal | Free during preview. General availability price — $1 per renewal |
Software-protected keys
Standard | Premium | |
---|---|---|
RSA 2,048-bit keys | $0.03/10,000 transactions | $0.03/10,000 transactions |
Advanced key types— RSA 3,072-bit, RSA 4,096-bit, and Elliptic-Curve Cryptography (ECC) keys | $0.15/10,000 transactions | $0.15/10,000 transactions |
HSM-protected keys
Standard | Premium | |
---|---|---|
RSA 2,048-bit keys | N/A | $1 per key per month + $0.03/10,000 transactions |
Advanced key types RSA 3,072-bit, RSA 4,096-bit, and Elliptic-Curve Cryptography (ECC) keys | N/A | First 250 keys $5 per key per month From 251 – 1,500 keys $2.50 per key per month From 1,501 – 4,000 keys $0.90 per key per month 4,001+ keys $0.40 per key per month + $0.15/10,000 transactions |
Key Rotation
Standard | Premium | |
---|---|---|
Automated key rotation | $1 per scheduled rotation | $1 per scheduled rotation |
Managed HSM Pools
Hourly usage fee per HSM pool | |
---|---|
Standard B1 | $3.20 |