From 9aa98bb378cab76438aac8c3307348e4d0dbcbfa Mon Sep 17 00:00:00 2001
From: Bernd Verst <4535280+berndverst@users.noreply.github.com>
Date: Thu, 4 Nov 2021 10:59:02 -0700
Subject: [PATCH] Add Managed Identity Instructions

---
 .../supported-secret-stores/azure-keyvault.md | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
index 06cd6e730..701a862f5 100644
--- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
+++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
@@ -258,6 +258,42 @@ To use a **certificate**:
     kubectl apply -f azurekeyvault.yaml
     ```
 
+To use **Azure managed identity**:
+
+1. Ensure your AKS cluster has managed identity enabled and follow the [guide for using managed identities](https://docs.microsoft.com/azure/aks/use-managed-identity).
+2. Create an `azurekeyvault.yaml` component file.
+
+    The component yaml refers to the Kubernetes secretstore using `auth` property and  `secretKeyRef` refers to the certificate stored in the Kubernetes secret store.
+
+    ```yaml
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: azurekeyvault
+      namespace: default
+    spec:
+      type: secretstores.azure.keyvault
+      version: v1
+      metadata:
+      - name: vaultName
+        value: "[your_keyvault_name]"
+
+3. Apply the `azurekeyvault.yaml` component:
+
+    ```bash
+    kubectl apply -f azurekeyvault.yaml
+    ```
+4. Create and use a managed identity / pod identity by following [this guide](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#create-a-pod-identity). After creating an AKS pod identity, give this identity read permissions on your desired KeyVault instance, and finally in your application deployment inject the pod identity via a label annotation:
+
+  ```yaml
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    name: mydaprdemoapp
+    labels:
+      aadpodidbinding: $POD_IDENTITY_NAME
+  ```
+
 {{% /codetab %}}
 
 {{< /tabs >}}