I want to deploy a client certificate to my already created cluster that my service will use for outgoing requests to a dependent service and have that certificate already added to a KeyVault resource I provisioned. How can I get that cert deployed to my VM scaleset - is there some way I can authorize my service to access that Keyvault instance after which it will automatically deploy to my VMs, or is there some other process?
If you need a certificate to be in the certificate store, you can (re)deploy the VM scale-set with certificate references to the Key Vault.
"secrets": [
{
"sourceVault": {
"id": "/subscriptions/{subscriptionid}/resourceGroups/myrg1/providers/Microsoft.KeyVault/vaults/mykeyvault1"
},
"vaultCertificates": [
{
"certificateUrl": "https://mykeyvault1.vault.azure.net/secrets/{secretname}/{secret-version}",
"certificateStore": "certificateStoreName"
}
]
}
]
Make sure the key vault is configured to allow deployments to access secrets.
You can also access the Key Vault from code, by using MSI or your own Service Principal. I'd prefer to use a client certificate (deployed to VM) to authenticate instead.
If you choose MSI, each VM gets its own (managed) Service Principal, all of them need to be configured to be allowed access to Key Vault data. You need to do this yourself.
If you choose to use Service Principal with ClientId & ClientSecret, make sure to keep Service Principal Client Secret in protected configuration. (this also requires a certificate) Make sure to configure an Access Policy for this SPN too.