Cloud Experts Documentation

Azure Key Vault CSI on Azure Red Hat OpenShift

Last edited
Published
Authors
Paul Czarkowski, 
Diana Sari, 
Charlotte Fung
Tags: ARO Miscellaneous

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

This document is adapted from the Azure Key Vault CSI Walkthroughexternal link (opens in new tab) specifically to run with Azure Red Hat OpenShift (ARO).

Prerequisites

  1. An ARO cluster
  2. The AZ CLI (logged in)
  3. The OC CLI (logged in)
  4. Helm 3.x CLI

Environment Variables

  1. Run this command to set some environment variables to use throughout

    Note if you created the cluster from the instructions linked above these will re-use the same environment variables, or default them to openshift and eastus.

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

  3. Add the Secrets Store CSI Driver to your Helm Repositories

  4. Update your Helm Repositories

  5. Install the secrets store csi driver

  6. Check that the Daemonsets is running

    You should see the following

  7. Add pod security profile label for CSI Driver

    This is required starting in OpenShift v4.13

Deploy Azure Key Store CSI

  1. Add the Azure Helm Repository

  2. Update your local Helm Repositories

  3. Install the Azure Key Vault CSI provider

  4. Set SecurityContextConstraints to allow the CSI driver to run

Create Keyvault and a Secret

  1. Create a namespace for your application

  2. Create an Azure Keyvault in your Resource Group that contains ARO

  3. Give your user account permissions to manage secrets in Key Vault

    Replace <your-email-address> with your actual value, which is your sign-in name.

  4. Create a secret in the Keyvault

  5. Create a Service Principal for the key Vault

    Note: If this gives you an error, you may need upgrade your Azure CLI to the latest version.

  6. Give the Service Principal permissions to use secrets in Key Vault

  7. Create and label a secret for Kubernetes to use to access the Key Vault

Deploy an Application that uses the CSI

  1. Create a Secret Provider Class to give access to this secret

  2. Create a Pod that uses the above Secret Provider Class

  3. Check the Secret is mounted

    Output should match:

  4. Print the Secret

    Output should match:

Cleanup

  1. Uninstall Helm

  2. Delete the app

  3. Delete the Azure Key Vault

  4. Delete the Service Principal

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

  2. Delete the SecurityContextConstraints

Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat