Azure Key Vault volume

Learn about Radius persistent Azure Key Vault volumes

Radius supports mounting an Azure Key Vault as a persistent volume to the container using the Azure KeyVault CSI Driver.

Prerequisites

Resource format

resource volume 'Applications.Core/volumes@2023-10-01-preview' = {
  name: 'myvolume'
  properties: {
    application: app.id
    kind: 'azure.com.keyvault'
    resource: keyvault.id
    secrets: {
      mysecret: {
        name: 'secret1'      // required
        version: '1'         // optional, defaults to latest version
        alias: 'secretalias' // optional, defaults to secret name (mysecret)
        encoding: 'utf-8'    // optional, defaults to utf-8
      }
    }
    certificates: {
      mycertificate: {
        name: 'cert1'              // required
        version: '1'               // optional, defaults to latest version
        alias: 'certificatealias'  // optional, defaults to certificate name (mycertificate)
        encoding: 'base64'         // optional, defaults to utf-8, only available when value is privatekey
        certType: 'privatekey'     // required
        format: 'pem'              // optional, defaults to pfx
      }
    }
    keys: {
      mykey: {
        name: 'key1'       // required
        version: '1'       // optional, defaults to latest version
        alias: 'keyalias'  // optional, defaults to key name (mycertificate)
      }
    }
  }
}

Properties

The following properties are available on the Volume resource to which the container attaches:

Key Required Description Example
kind y The kind of persistent volume. Should be ‘azure.com.keyvault’ for Azure Key Vault persistent volumes 'azure.com.keyvault'
resource n Resource ID for the Azure KeyVault resource. 'kv.id', '/subscriptions/<subscription>/resourceGroups/<rg/providers/Microsoft.KeyVault/vaults/<keyvaultname>'
secrets n Map specify secret object name and secret properties. See secret properties mysecret: {
name: ‘mysecret’{
encoding: ‘utf-8{
}
keys n Map specify key object name and key properties. See key properties mykey: {
name: ‘mykey’
}
certificates n Map specify certificate object name and [certificate properties]. See certificate properties mycert: {
name: ‘mycert’
value: ‘certificate’
}

Secrets

Key Description Required Example
name secret name in Azure Key Vault true 'mysecret'
version specific secret version. Default is latest false '1234'
encoding encoding format ‘utf-8’, ‘hex’, ‘base64’. Default is ‘utf-8’ false 'bas64'
alias file name created on the disk. Same as objectname if not specified false 'my-secret'

Keys

Key Description Required Example
name key name in Azure Key Vault true 'mykey'
version specific key version. Default is latest false '1234'
alias file name created on the disk. Same as objectname if not specified false 'my-key'

Certificates

Key Description Required Example
name certificate name in Azure Key Vault true 'mycert'
value value to download from Azure Key Vault ‘privatekey’, ‘publickey’ or ‘certificate’ true 'certificate'
version specific certificate version. Default is latest false '1234'
encoding encoding format ‘utf-8’, ‘hex’, ‘base64’. Default is ‘utf-8’ and this field can be specificed only when value is ‘privatekey’ false 'bas64'
alias file name created on the disk. Same as objectname if not specified false 'my-cert'
format certificate format ‘pfx’, ‘pem’. Default is ‘pfx’ false 'my-cert'