You can solve this challenge by the following steps:
-
Check your vault name with
terraform output vault_name. -
Create a new pod file
pod.yamlwith the following content (replace the vault name with output from the previous step):
apiVersion: batch/v1
kind: Job
metadata:
name: wrongsecret-3
labels:
aadpodidbinding: separate-workload-pod-id
spec:
template:
metadata:
name: wrongsecret3job
labels:
aadpodidbinding: separate-workload-pod-id
spec:
containers:
- name: az
image: mcr.microsoft.com/azure-cli:latest
command:
[
"sleep", "7200"
]
restartPolicy: Never-
Apply the job with
kubectl apply -f job.yaml
You can now exec into the pod, and execute something like az login --identity --allow-no-subscriptions && az keyvault secret show --name wrongsecret-3 --vault-name wrongsecrets-vault-00000 . Note that you can find the actual value of wrongsecrets-vault-00000 in the terraform state. Since the job can access the same vault as the secret challenge pod, it has access to its secrets.