Access restriction of Pod Identity on secret level

[schwichti]

Using the Pod Identity mode, is it possible to restrict the access of a Pod on Secret Level or only on KeyVault Level? In other words, can you restrict which Secrets a Pod can read from a KeyVault or does a Pod has access to either no secrets or all secrets?

My pods need to read only a subset of secrets stored in a KeyVault. I want to prevent that an attacker who has compromised a Pod can read all the secrets from the keyvault.

[nilekhc]

I believe Pod Identity will grant you an access at keyvault level.

cc @aramase @chewong

[schwichti]

This source confirms the access restriction on keyvault level: https://dba.stackexchange.com/questions/209568/grant-access-to-only-one-key-in-azure-keyvault.
It seems that you cannot do anything about it (except using multiple keyvaults), because it is simply the design of azure key vault.

[aramase]

Hello 👋🏻 Keyvault added support for role-based access control for individual secrets/keys/certs last year. Here is a link to the doc: https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.

[schwichti]

Hi @aramase . I tried Keyvault with RBAC authorization in conjunction with PodIdentity. However, I get the error message Unable to attach or mount volumes: unmounted volumes=[secrets-store01-inline], unattached volumes=[default-token-ph459 secrets-store01-inline]: timed out waiting for the condition
This is what I did:

az keyvault create -n $keyvaultname -g $resourcegroup --location $keyvaultlocation --enable-rbac-authorization
az keyvault secret set --name $SECRET1 --vault-name $keyvaultname --value $SECRET1
RESPONSE1=$(az identity create -g $resourcegroup -n $PODIDENTITY1)
CLIENTID1=$(echo $RESPONSE1 | jq .clientId)
TENANTID=$(echo $RESPONSE1 | jq .tenantId)
az role assignment create --role \"Key Vault Secrets User\" --assignee $CLIENTID1 --scope /subscriptions/$subscriptionid/resourcegroups/$resourcegroup/providers/Microsoft.KeyVault/vaults/$keyvaultname/secrets/$SECRET1
helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure -n $namespace
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

read -r -d '' SECRETPROVIDERCLASS  <<EOF
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname-podid
  namespace: ${namespace}
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"          # set to true for pod identity access mode
    keyvaultName: "${keyvaultname}"
    cloudName: ""                   # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud
    objects:  |
      array:
        - |
          objectName: ${SECRET1}
          objectType: secret        # object types: secret, key or cert
          objectVersion: ""         # [OPTIONAL] object versions, default to latest if empty
    tenantId: ${TENANTID}           # the tenant ID of the KeyVault      
EOF

read -r -d '' AZUREIDENTITY <<EOF
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: ${PODIDENTITY1}
  namespace: ${namespace}
spec:
  type: 0
  resourceID: /subscriptions/${subscriptionid}/resourcegroups/${resourcegroup}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${PODIDENTITY1}
  clientID: ${CLIENTID1}
EOF

read -r -d '' AZUREIDENTITYBINDING <<EOF
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: ${PODIDENTITYBINDING1}
  namespace: ${namespace}
spec:
  azureIdentity: ${PODIDENTITY1}
  selector: ${SELECTOR1}
EOF

read -r -d '' POD <<EOF
apiVersion: batch/v1
kind: Job
metadata:
  name: pod1
  namespace: ${namespace}
spec:
  template:
    metadata:
        labels:
            aadpodidbinding: ${SELECTOR1}
    spec:
      containers:
      - name: pod1
        image: alpine
        command: ["cat",  "/mnt/secrets-store"]
        volumeMounts:
        - name: secrets-store01-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      restartPolicy: Never
      volumes:
        - name: secrets-store01-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-kvname-podid"
EOF

echo "$SECRETPROVIDERCLASS" | kubectl apply -f -
echo "$AZUREIDENTITY" | kubectl apply -f -
echo "$AZUREIDENTITYBINDING" | kubectl apply -f -
echo "$POD" | kubectl apply -f -

What am I missing?