HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
Vault
Vault Home

You are viewing documentation for version v1.13.x. View latest version.

Bootstrapping kubernetes auth method

Important Note: This chart is not compatible with Helm 2. Please use Helm 3.6+ with this chart.

In this example, we will walk through how to set up the Kubernetes Auth Method.

This assumes the following commands will be run inside a Vault pod running in Kubernetes.

You will optionally need the following variables:

# JWT is a service account token that has access to the kubernetes TokenReview API
# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token
JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

# Address of kubernetes itself as viewed from inside a running pod
KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443

# Kubernetes internal CA
KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)

Exec into the Vault pod:

kubectl exec -it vault-0 -- /bin/sh

If you didn't set server.dev.enabled=true, you'll need to log in to Vault first using vault login. Then run the following commands to configure the Kubernetes Auth Method:

vault auth enable kubernetes
vault write auth/kubernetes/config \
    kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT

From here you can continue to configure Vault from the Kubernetes Auth Method documentation.