search

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume
MIT License
253 stars 83 forks source link

MountVolume.SetUp failed for volume #119

Closed sukruthakittur closed 4 years ago

sukruthakittur commented 4 years ago

MountVolume.SetUp failed for volume "kv-vol" : mount command failed, status: Failure, reason: /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, The client 'abc' with object id 'abc' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/subscriptionID/resourceGroups/RSC-GRP/providers/Microsoft.KeyVault/vaults/some-vault' or the scope is invalid. If access was recently granted, please refresh your credentials.

Steps To Reproduce

  1. Add secret like below to Kube kubectl create secret generic kvcreds --from-literal clientid=123 --from-literal clientsecret=456 --type=azure/kv

  2. Deploy flex using the secrets from the above step (kvcreds) kubectl create -f deployment/nginx-flex-kv.yaml

Expected behavior Should create the mount. My confusion is around the error message where, the error says "The client 'abc' with object id 'abc' does not have authorization to perform action". However, I used a different client ID ("123") to add the secret. What am I missing here?

Key Vault FlexVolume version LATEST

Access mode: service principal or pod identity Service Principal

Kubernetes version Client Version: v1.13.2 Server Version: v1.13.7

Additional context

ritazh commented 4 years ago

Hi @sukruthakittur, the client and object in the error message returned by Azure is the object id of the service principal, not to be confused with the clientid (also known as appId) and the clientsecret of the service principal. You can get objectId of the service principal via az ad sp list --spn <CLIENT ID> or via the portal.

To fix this issue, can you please make sure you have completed the following steps to give your SP READ access to the keyvault instance and the keyvault objects you want to get?

# Assign Reader Role to the service principal for your keyvault
az role assignment create --role Reader --assignee <principalid> --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/<keyvaultname>

az keyvault set-policy -n $KV_NAME --key-permissions get --spn <YOUR SPN CLIENT ID>
az keyvault set-policy -n $KV_NAME --secret-permissions get --spn <YOUR SPN CLIENT ID>
az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn <YOUR SPN CLIENT ID>
sukruthakittur commented 4 years ago

@ritazh Thank you for the quick response. This is very helpful. I will resolve the issue on my end and this issue #119 can be closed.