ASP.NET Core Kestrel throw exception when using Azure Key Vault (AKV) for Secrets Store CSI Driver in Azure Kuberenetes Service (AKS)

Question

I mount Azure Key Vault(AKV) certifcates to pods in Azure Kubernetes Service (AKS).

Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster

My pod's container image is based on ASP.NET Core Web API project template with below appsettings.json. I am trying to apply TLS on my service with Kestrel.

appsettings.json

Configure endpoints for the ASP.NET Core Kestrel web server

However I am getting below error message, even Azure Key Vault provides the certifcate with private key.

What am I missing here?

Error message

secret-provider-class.yml

deployment.yml

Busybox

I checked PRIVATE KEY exists with busybox pod.

score 0 · Accepted Answer · answered Jul 18 '22 at 11:56

Please check if the issue here is the same case for you.
You may have to configure your your data protection policy to use CryptographicAlogrithms as follow:
```
.UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration()
                {
                    EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
                    ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
                });
```
Try configure the system with ProtectKeysWithAzureKeyVault in the Startup class.
```
services.AddDataProtection()
        .ProtectKeysWithAzureKeyVault(kvClient, settings.KeyVaultKeyId);
```
Please note that When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy used to create the certificate must indicate that the key is exportable. If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret.

References: