Add support for Azure Key vault with Lighthouse
At the moment, you cannot add your Lighthouse enabled groups to Azure Keyvault in a customer's subscription. So now we would need to have accounts in a customer's subscription, which we just stopped needing due to Lighthouse.
Luke Lloyd commented
Any news on this being available soon MS? This is one of the biggest blockers for moving to Lighthouse only management.
Didier Caron commented
this has been a whole year now, and we can't use the keyvault properly with azure lighthouse? we are using terraform to deploy keyvault secrets to a customer owned keyvault. terraform will try to refresh the value, which will not work because of this limitation. Will there be any movement in this space?
The solution to use Managed Identities as described here: https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/create-keyvault-secret is not enough, because of this limitation:
"Using the ARM control-plane approach above, the provider can set/write secrets into customer's Azure Key Vault but cannot list/read these secrets using the provider's context since provider's identity is not in the customer's tenant."