I started evaluating Hashicorp Vault for secrets management. The idea is to allow my gitlab CI to deploy workloads into Kubernetes and dispatch the secrets to pods. However now I'm planning to move my Kubernetes workloads into Azure. Based on your experiences, could you please share and detail what could be a good strategy in terms of login/access process to Vault, if my requirements are:

• access from Gitlab CI (external wrt azure) to fetch secrets
• access from Gitlab CI (external wrt azure) to deploy pods into Azure Kubernetes Services
• access from Gitlab CI (external wrt azure) to operate my cloud instance
• access from Azure Kubernetes pods to fetch secrets related to Azure managed services (e.g. DB). About that I've understood users can exploit Hashicorp Vault to generate dynamically the service principal and credentials for a pre-created Azure role.

Then I will exploit the integration with Azure Key Vault for automatic unsealing of the Hashicorp's one.

I've read many documents about this, but still I cannot figure out a clear good strategy (in my mind I always imagine a security breach). For sure my confusion is caused by inexperience with Vault and Azure and also because it supports many different auth/author methods that leave you a bit lost.