How to specify the filename you want when creating an Azure Kubernetes Service secret using Azure Key Vault

Kubernetes lets you mount secrets as a file inside your pod. By default, this file name will be the same as the secret. However, a common request is to be able to specify the exact file name (since it is common for apps to have this path/name hard-coded). This is especially important since when integrating Azure Kubernetes Service (AKS) with Azure Key Vault, since the name of the secret in Key Vault is subject to specific naming conventions.

For instance, you can’t have a period in the secret name in Key Vault, but apps expect to find files with period in them (the extension).

Luckily, the SecretProviderClass in the API provide the objectAlias attribute you can use to specify the exact filename you want.

Sync as Kubernetes Secret – Secrets Store CSI Driver (

Key Vault secret

Here is a secret I would like to mount as a file in an AKS pod. Note the name has a dash in it (app-properties)

SecretProviderClass YAML file

Here is an example of aliasing a specific secret with the filename the app expects. Note the objectAlias provides a filename with a period in it (, which isn’t a valid Key Vault secret name.

kind: SecretProviderClass
  name: mongo-secret-csi-more
  provider: azure
    - secretName: app-properties
      type: Opaque
      - objectName: app-properties
    keyvaultName: eslz-kv-b5ldjd4hmhvec
    useVMManagedIdentity: "true"        
    userAssignedIdentityID: 06c615ea-c360-4556-8a99-f8be73ca4b56
    cloudName: "AzureUSGovernment"                        
    objects:   |
        - |
          objectName: app-properties
          objectAlias: ""
          objectType: secret
          objectVersion: ""
    tenantId: 40a3c411-b2a7-4f7b-a28e-05bf8dd7ab7b

Kubernetes Pod

If we exec into the pod and look for that file, we can see that the file has been renamed to the objectAlias, as the app expects.

Leave a Reply

Your email address will not be published. Required fields are marked *