Closed RafaPazos closed 3 years ago
Hi @RafaPazos , great points. I guess the main reason that Pod Managed Identities were not added as an option is due to the fact that they are not really about storing secrets, but a means to accessing secrets. The point of the section was to talk about the different ways secrets could be stored. I guess one could argue that using pod managed identities to access secrets stored in AKV is another option.
To your question about if there is any issue with the option? The answer is no. If you take a look in the Deploy App section you will see that we do just that for accessing the keys stored in AKV: https://github.com/Azure/sg-aks-workshop/tree/master/deploy-app#adding-in-secrets-mgmt
In the Secrets Management Chapter (https://github.com/Azure/sg-aks-workshop/blob/master/cluster-design/SecretManagement.md) we propose 4 options:
And indeed there is a fifth and recommended option based on managed identities:
https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-pod-managed-identities
Do you know if there is any issue with this option? If not, I would like to add it to the Secrets Management Chapter.