• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Vault

Skip to main content
20 tutorials
  • Vault on Kubernetes Reference Architecture
  • Vault on Kubernetes Deployment Guide
  • Vault Installation to Minikube via Helm with Integrated Storage
  • Vault Installation to Minikube via Helm with Consul
  • Vault Installation to Minikube via Helm with TLS enabled
  • Vault Installation to Amazon Elastic Kubernetes Service via Helm
  • Vault Installation to Red Hat OpenShift via Helm
  • Vault Installation to Google Kubernetes Engine via Helm
  • Vault Installation to Azure Kubernetes Service via Helm
  • Deploy Vault on Amazon EKS Anywhere
  • Injecting Secrets into Kubernetes Pods via Vault Agent Containers
  • Mount Vault Secrets through Container Storage Interface (CSI) Volume
  • Configure Vault as a Certificate Manager in Kubernetes with Helm
  • Integrate a Kubernetes Cluster with an External Vault
  • Vault Agent with Kubernetes
  • Troubleshooting Vault on Kubernetes
  • Deploy Consul and Vault on Kubernetes with Run Triggers
  • Automate Terraform Cloud Workflows
  • Vault on Kubernetes Security Considerations
  • Kubernetes Secrets Engine

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Tutorials
  4. Vault
  5. Vault Agent with Kubernetes

Vault Agent with Kubernetes

  • 17min

  • VaultVault

Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries. If you can securely get the first secret from an originator to a consumer, all subsequent secrets transmitted between this originator and consumer can be authenticated with the trust established by the successful distribution and user of that first secret.

Secure Introduction

Challenge

The applications running in a Kubernetes environment is no exception. Luckily, Vault provides Kubernetes auth method to authenticate the clients using a Kubernetes Service Account Token.

Kubernetes

However, the client is still responsible for managing the lifecycle of its Vault tokens. Therefore, the next challenge becomes how to manage the lifecycle of tokens in a standard way without having to write custom logic.

Solution

Vault Agent provides a number of different helper features, specifically addressing the following challenges:

  • Automatic authentication
  • Secure delivery/storage of tokens
  • Lifecycle management of these tokens (renewal & re-authentication)
Vault Agent

This tutorial focuses on the demonstration of the Vault Agent Auto-Auth using the kubernetes auth method. Vault Helm introduced Agent Sidecar Injector. Refer to Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar for a step-by-step tutorial on the sidecar usage.

Prerequisites

This lab was tested on macOS using an x86_64 based processor. If you are running macOS on an Apple silicon-based processor, use a x86_64 based Linux virtual machine in your preferred cloud provider.

To perform the tasks described in this tutorial, you need:

  • Minikube installed
  • A running Vault environment reachable from your Kubernetes environment. Refer to the Getting Started tutorial to install Vault. Make sure that your Vault server has been initialized and unsealed

NOTE: For the purpose of demonstration, this tutorial runs Minikube as a Kubernetes environment. If you wish to test against an Azure Kubernetes Service (AKS) cluster instead, follow the steps in the Azure Kubernetes Service Cluster section to create an AKS cluster. If you want to test against a Google Kubernetes Engine (GKE) cluster, refer to the steps described in the Google Kubernetes Engine Cluster section.

Retrieve the additional configuration by cloning the hashicorp/learn-vault-agent repository from GitHub.

$ git clone https://github.com/hashicorp/learn-vault-agent.git

This repository contains supporting content for all of the Vault learn tutorials. The content specific to this tutorial can be found in a sub-directory.

Go into the learn-vault-agent/vault-agent-k8s-demo directory.

$ cd learn-vault-agent/vault-agent-k8s-demo

Working directory: This tutorial assumes that the remainder of commands are executed in this directory.

Start a Vault server

To go through this tutorial, start a Vault dev server which listens for requests locally at 0.0.0.0:8200 with root as the root token ID.

$ vault server -dev -dev-root-token-id root -dev-listen-address 0.0.0.0:8200

Setting the -dev-listen-address to 0.0.0.0:8200 overrides the default address of a Vault dev server (127.0.0.1:8200) and enables Vault to be addressable by the Kubernetes cluster and its pods because it binds to a shared network.

Insecure operation: Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.

Export an environment variable for the vault CLI to address the Vault server.

$ export VAULT_ADDR=http://0.0.0.0:8200

Create a service account

  1. Start a Kubernetes cluster running in Minikube.

    $ minikube start --driver=docker
    

    Wait a couple of minutes for the minikube environment to become fully available.

    $ minikube status
    
    minikube
    type: Control Plane
    host: Running
    kubelet: Running
    apiserver: Running
    kubeconfig: Configured
    
  2. In Kubernetes, a service account provides an identity for processes that run in a Pod so that the processes can contact the API server. Open the provided vault-auth-service-account.yaml file in your preferred text editor and examine its content for the service account definition to be used for this tutorial.

    vault-auth-service-account.yaml
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: vault-auth
      namespace: default
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: role-tokenreview-binding
      namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: system:auth-delegator
    subjects:
    - kind: ServiceAccount
      name: vault-auth
      namespace: default
    
  3. Create the vault-auth service account.

    $ kubectl apply --filename vault-auth-service-account.yaml
    

Kubernetes 1.24+ only

  1. The service account generated a secret that is required for configuration automatically in Kubernetes 1.23. In Kubernetes 1.24+, you need to create the secret explicitly.

    vault-auth-secret.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: vault-auth-secret
      annotations:
        kubernetes.io/service-account.name: vault-auth
    type: kubernetes.io/service-account-token
    
  2. Create a vault-auth-secret secret.

    $ kubectl apply --filename vault-auth-secret.yaml
    

Configure Kubernetes auth method

  1. Create a read-only policy, myapp-kv-ro in Vault.

    $ vault policy write myapp-kv-ro - <<EOF
    path "secret/data/myapp/*" {
        capabilities = ["read", "list"]
    }
    EOF
    
  2. Create some test data at the secret/myapp path.

    $ vault kv put secret/myapp/config \
          username='appuser' \
          password='suP3rsec(et!' \
          ttl='30s'
    

    Output:

    ====== Secret Path ======
    secret/data/myapp/config
    
    ======= Metadata =======
    Key                Value
    ---                -----
    created_time       2022-03-24T06:09:49.99472Z
    custom_metadata    <nil>
    deletion_time      n/a
    destroyed          false
    version            1
    
  3. Set the environment variables to point to the running Minikube environment.

    Set the SA_SECRET_NAME environment variable value to the vault-auth service account secret.

    $ export SA_SECRET_NAME=$(kubectl get secrets --output=json \
        | jq -r '.items[].metadata | select(.name|startswith("vault-auth-")).name')
    

    Set the SA_JWT_TOKEN environment variable value to the service account JWT used to access the TokenReview API

    $ export SA_JWT_TOKEN=$(kubectl get secret $SA_SECRET_NAME \
        --output 'go-template={{ .data.token }}' | base64 --decode)
    

    Set the SA_CA_CRT environment variable value to the PEM encoded CA cert used to talk to Kubernetes API.

    $ export SA_CA_CRT=$(kubectl config view --raw --minify --flatten \
        --output 'jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
    

    Set the K8S_HOST environment variable value to minikube IP address.

    $ export K8S_HOST=$(kubectl config view --raw --minify --flatten \
        --output 'jsonpath={.clusters[].cluster.server}')
    
  4. Now, enable and configure the Kubernetes auth method.

    Enable the Kubernetes auth method at the default path ("auth/kubernetes").

    $ vault auth enable kubernetes
    Success! Enabled kubernetes auth method at: kubernetes/
    

    Tell Vault how to communicate with the Kubernetes (Minikube) cluster.

    $ vault write auth/kubernetes/config \
         token_reviewer_jwt="$SA_JWT_TOKEN" \
         kubernetes_host="$K8S_HOST" \
         kubernetes_ca_cert="$SA_CA_CRT" \
         issuer="https://kubernetes.default.svc.cluster.local"
    

    Output:

    Success! Data written to: auth/kubernetes/config
    

    You can validate the issuer name of your Kubernetes cluster using this method.

  5. Create a role named, example, that maps the Kubernetes Service Account to Vault policies and default token TTL.

    $ vault write auth/kubernetes/role/example \
         bound_service_account_names=vault-auth \
         bound_service_account_namespaces=default \
         token_policies=myapp-kv-ro \
         ttl=24h
    

    Output:

    Success! Data written to: auth/kubernetes/role/example
    

NOTE: The pattern Vault uses to authenticate Pods depends on sharing the JWT token over the network. Given the security model of Vault, this is allowable because Vault is part of the trusted compute base. In general, Kubernetes applications should not share this JWT with other applications, as it allows API calls to be made on behalf of the Pod and can result in unintended access being granted to 3rd parties.

Determine the Vault address

A service bound to all networks on the host, as you configured Vault, is addressable by pods within Minikube's cluster by sending requests to the gateway address of the Kubernetes cluster.

  1. Start a minikube SSH session.

    $ minikube ssh
    ## ... minikube ssh login
    
  2. Within this SSH session, retrieve the value of the Minikube host.

    $ dig +short host.docker.internal
    192.168.65.2
    

    Docker networking: The host has a changing IP address (or none if you have no network access). We recommend that you connect to the special DNS name host.docker.internal which resolves to the internal IP address used by the host. host.docker.internal. This is for development purpose and will not work in production. For more information, review the documentation for Mac, Windows.

  3. Next, retrieve the status of the Vault server to verify network connectivity.

    $ dig +short host.docker.internal | xargs -I{} curl -s http://{}:8200/v1/sys/seal-status
    {
      "type": "shamir",
      "initialized": true,
      "sealed": false,
      "t": 1,
      "n": 1,
      "progress": 0,
      "nonce": "",
      "version": "1.4.1+ent",
      "migration": false,
      "cluster_name": "vault-cluster-3de6c2d3",
      "cluster_id": "10fd177e-d55a-d740-0c54-26268ed86e31",
      "recovery_seal": false,
      "storage_type": "inmem"
    }
    

    The output displays that Vault is initialized and unsealed. This confirms that pods within your cluster are able to reach Vault given that each pod is configured to use the gateway address.

  4. Next, exit the Minikube SSH session.

    $ exit
    
  5. Finally, create a variable named EXTERNAL_VAULT_ADDR to capture the Minikube gateway address.

    $ EXTERNAL_VAULT_ADDR=$(minikube ssh "dig +short host.docker.internal" | tr -d '\r')
    
  6. Verify that the variable contains the IP address you saw when executed in the Minikube shell.

    $ echo $EXTERNAL_VAULT_ADDR
    192.168.65.2
    

Optional: Verify the Kubernetes auth method configuration

  1. Define a Pod with a container.

    $ cat > devwebapp.yaml <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
      name: devwebapp
      labels:
        app: devwebapp
    spec:
      serviceAccountName: vault-auth
      containers:
        - name: devwebapp
          image: burtlo/devwebapp-ruby:k8s
          env:
            - name: VAULT_ADDR
              value: "http://$EXTERNAL_VAULT_ADDR:8200"
    EOF
    

    The Pod is named devwebapp and runs with the vault-auth service account.

  2. Create the devwebapp pod in the default namespace

    $ kubectl apply --filename devwebapp.yaml --namespace default
    pod/devwebapp created
    
  3. Display all the pods in the default namespace.

    $ kubectl get pods
    NAME        READY   STATUS    RESTARTS   AGE
    devwebapp   1/1     Running   0          77s
    

    Wait until the devwebapp pod is running and ready (1/1).

  4. Start an interactive shell session on the devwebapp pod.

    $ kubectl exec --stdin=true --tty=true devwebapp -- /bin/sh
    #
    

    Your system prompt is replaced with a new prompt #.

    Note: the prompt within this section is shown as $ but the commands are intended to be executed within this interactive shell on the devwebapp container.

  5. Set KUBE_TOKEN to the service account token.

    $ KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
    
  6. Authenticate with Vault through the example role with the KUBE_TOKEN.

    $ curl --request POST \
           --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "example"}' \
           $VAULT_ADDR/v1/auth/kubernetes/login
    

    Example output:

    {
       ...snip...
       "auth": {
          "client_token": "hvs.CAESIBxfvzds7M4tas017ls36Dl_kA-3YpCCBT9wczP1E41DGh4KHGh2cy5JYW1NMmFkb2gwTVBhZVhsN0pDM0tOaWM",
          "accessor": "1Miu5tbfuZzYuYWCntb4Ztke",
          "policies": [
             "default",
             "myapp-kv-ro"
          ],
          "token_policies": [
             "default",
             "myapp-kv-ro"
          ],
          "metadata": {
             "role": "example",
             "service_account_name": "vault-auth",
             "service_account_namespace": "default",
             "service_account_secret_name": "",
             "service_account_uid": "a293b5fb-96a2-43b0-acee-03d9ffce9423"
          },
          "lease_duration": 86400,
          "renewable": true,
          "entity_id": "8925670b-d8d6-0792-ee56-eec1a9e740cb",
          "token_type": "service",
          "orphan": true,
          "mfa_requirement": null,
          "num_uses": 0
       }
    }
    

    Notice that client_token is successfully generated and myapp-kv-ro policy is attached with the token. The metadata displays that its service account name (service_account_name) is vault-auth.

  7. Lastly, exit the pod.

    $ exit
    

Start Vault Agent with Auto-Auth

Now that you have verified that the Kubernetes auth method has been configured on the Vault server, it is time to spin up a client Pod which leverages Vault Agent to automatically authenticate with Vault and retrieve a client token.

  1. First, open the provided configmap.yaml file in your preferred text editor and review its content.

    configmap.yaml
    1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334353637383940414243apiVersion: v1
    data:
      vault-agent-config.hcl: |
        # Comment this out if running as sidecar instead of initContainer
        exit_after_auth = true
    
        pid_file = "/home/vault/pidfile"
    
        auto_auth {
            method "kubernetes" {
                mount_path = "auth/kubernetes"
                config = {
                    role = "example"
                }
            }
    
            sink "file" {
                config = {
                    path = "/home/vault/.vault-token"
                }
            }
        }
    
        template {
        destination = "/etc/secrets/index.html"
        contents = <<EOT
        <html>
        <body>
        <p>Some secrets:</p>
        {{- with secret "secret/data/myapp/config" }}
        <ul>
        <li><pre>username: {{ .Data.data.username }}</pre></li>
        <li><pre>password: {{ .Data.data.password }}</pre></li>
        </ul>
        {{ end }}
        </body>
        </html>
        EOT
        }
    kind: ConfigMap
    metadata:
      name: example-vault-agent-config
      namespace: default
    

    This creates a Vault Agent configuration file, vault-agent-config.hcl. Notice that the Vault Agent Auto-Auth (auto_auth block) is configured to use the kubernetes auth method enabled at the auth/kubernetes path on the Vault server. The Vault Agent will use the example role which you created in Step 2.

    The sink block specifies the location on disk where to write tokens. Vault Agent Auto-Auth sink can be configured multiple times if you want Vault Agent to place the token into multiple locations. In this example, the sink is set to /home/vault/.vault-token.

    Finally, the template block creates a templated file which retrieves username and password values at the secret/data/myapp/config path.

  2. Create a ConfigMap containing a Vault Agent configuration.

    $ kubectl create --filename configmap.yaml
    configmap/example-vault-agent-config created
    
  3. View the created ConfigMap.

    $ kubectl get configmap example-vault-agent-config --output yaml
    
  4. An example Pod spec file is provided. Review the provided example Pod spec file, example-k8s-spec.yaml.

    example-k8s-spec.yaml
    apiVersion: v1
    kind: Pod
    metadata:
      name: vault-agent-example
      namespace: default
    spec:
      serviceAccountName: vault-auth
    
      volumes:
        - configMap:
            items:
              - key: vault-agent-config.hcl
                path: vault-agent-config.hcl
            name: example-vault-agent-config
          name: config
        - emptyDir: {}
          name: shared-data
    
      initContainers:
        - args:
            - agent
            - -config=/etc/vault/vault-agent-config.hcl
            - -log-level=debug
          env:
            - name: VAULT_ADDR
              value: http://EXTERNAL_VAULT_ADDR:8200
          image: vault
          name: vault-agent
          volumeMounts:
            - mountPath: /etc/vault
              name: config
            - mountPath: /etc/secrets
              name: shared-data
    
      containers:
        - image: nginx
          name: nginx-container
          ports:
            - containerPort: 80
          volumeMounts:
            - mountPath: /usr/share/nginx/html
              name: shared-data
    

    The example Pod spec (example-k8s-spec.yaml) spins up two containers in vault-agent-example pod. A vault container which runs Vault Agent as an Init Container. And an nginx container exposing port 80.

    Kubernetes

    The Vault address, VAULT_ADDR, is set to a placeholder value EXTERNAL_VAULT_ADDR.

  5. Generate the Pod spec with EXTERNAL_VAULT_ADDR variable value in its place.

    $ cat example-k8s-spec.yaml | \
       sed -e s/"EXTERNAL_VAULT_ADDR"/"$EXTERNAL_VAULT_ADDR"/ \
       > vault-agent-example.yaml
    
  6. Create the vault-agent-example pod defined in vault-agent-example.yaml.

    $ kubectl apply --filename vault-agent-example.yaml --record
    

    This takes a minute or so for the pod to become fully up and running.

Verification

  1. In another terminal, launch the Minikube dashboard.

    $ minikube dashboard
    
  2. Click Pods under Workloads to verify that vault-agent-example pod has been created successfully.

    Kubernetes

  3. Select vault-agent-example to see its details.

    Kubernetes

  4. In another terminal, port forward all requests made to http://localhost:8080 to port 80 on the vault-agent-example pod.

    $ kubectl port-forward pod/vault-agent-example 8080:80
    
  5. In a web browser, go to localhost:8080

    Kubernetes

    Notice that the username and password values were successfully read from secret/myapp/config.

  6. Optionally, you can view the HTML source.

    $ kubectl exec -it vault-agent-example --container nginx-container -- cat /usr/share/nginx/html/index.html
    <html>
    <body>
    <p>Some secrets:</p>
    <ul>
    <li><pre>username: appuser</pre></li>
    <li><pre>password: suP3rsec(et!</pre></li>
    </ul>
    
    </body>
    </html>
    

Azure Kubernetes Service Cluster

If you wish to test the Kubernetes auth method against an Azure Kubernetes Service (AKS) cluster instead of Minikube, you can run Terraform to provision an AKS cluster.

First, follow the instruction in the Terraform documentation to create a service principal.

Be sure to add the following Azure Active Directory Graph API permission to your app.

API permissions

Store the credentials as Environment Variables.

$ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
$ export ARM_CLIENT_SECRET="00000000-0000-0000-0000-000000000000"
$ export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
$ export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
  • Subscription ID: Navigate to the Subscriptions blade within the Azure Portal and copy the SUBSCRIPTION ID Subscription ID

  • Tenant ID: Navigate to the Azure Active Directory > Properties in the Azure Portal, and copy the Directory ID which is your tenant ID Tenant ID

  • Client ID: Same as the Application ID Client ID

  • Client secret: The password (credential) set on your application

  1. Set your working directory to where the learn-vault-agent/vault-agent-k8s-demo/terraform-azure folder is located.

  2. Modify terraform.tfvars.example and provide Azure credentials: client_id and client_secret, and save it as terraform.tfvars.

    Client ID: Same as the Application ID

    Client secret: The password (credential) set on your application

  3. Execute the Terraform commands to provision a new AKS cluster.

    Pull necessary plugins.

    $ terraform init
    

    Now, execute the apply command to build a new AKS cluster.

    $ terraform apply -auto-approve
    

    NOTE: If you received Resource group 'education-XXXXX-rg' could not be found error, run terraform refresh command.

    $ terraform refresh
    ...
    
    Outputs:
    
    kubernetes_cluster_name = education-xxxxxx-aks
    resource_group_name = education-xxxxxx-rg
    
  4. Now, view the information about the AKS cluster.

    $ kubectl cluster-info
    
    Kubernetes master is running at https://education.hcp.westus2.azmk8s.io:443
    Heapster is running at ...
    ...
    

    NOTE: Copy the Kubernetes master address (https://education.hcp.westus2.azmk8s.io:443 in this example).

  5. In the /vault-agent-k8s-demo/setup-k8s-auth.sh file, replace Line 48 to point to the AKS cluster address rather than export K8S_HOST=$(minikube ip). Also, replace Line 54 to point to the correct host address.

    Example:

    setup-k8s-auth.sh
    ...
    # Set K8S_HOST to minikube IP address
    # export K8S_HOST=$(minikube ip)
    export K8S_HOST="https://education.hcp.westus2.azmk8s.io:443"
    
    # Enable the Kubernetes auth method at the default path ("auth/kubernetes")
    vault auth enable kubernetes
    
    # Tell Vault how to communicate with the Kubernetes (Minikube) cluster
    # vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="https://$K8S_HOST:8443" kubernetes_ca_cert="$SA_CA_CRT"
    vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="$K8S_HOST" kubernetes_ca_cert="$SA_CA_CRT"
    ...
    
  6. Set the working directory to where scripts are located (learn-vault-agent/vault-agent-k8s-demo).

    $ cd ..
    
  7. Create a service account, vault-auth.

    $ kubectl create serviceaccount vault-auth
    
  8. Update the vault-auth service account based on the definition in the vault-auth-service-account.yaml file.

    $ kubectl apply --filename vault-auth-service-account.yaml
    
  9. Setup the Kubernetes auth method on the Vault server.

    $ ./setup-k8s-auth.sh
    
  10. Resume with the determine the Vault address step and on.

AKS Kubernetes Dashboard

Click on the Monitor containers in the Azure portal.

Kubernetes

Click the Enable button so that you can monitor the Kubernetes cluster utilization metrics.

Clean up

When you are done experimenting this demo, execute the following commands to clean up.

Execute the terraform command.

$ terraform apply -destroy -auto-approve

Remove the Terraform state files.

$ rm *tfstate*

Google Kubernetes Engine Cluster

  1. Set your working directory to where the learn-vault-agent/vault-agent-k8s-demo/terraform-gcp folder is located.

  2. Modify terraform.tfvars.example and provide GCP credentials: account_file_path and project, and save it as terraform.tfvars.

    Example:

    terraform.tfvars
    account_file_path = "/usr/student/gcp/vault-test-project.json"
    project  = "vault-test-project"
    
  3. Execute the Terraform commands to provision a new GKE cluster.

    Pull necessary plugins.

    $ terraform init
    

    Now, execute the apply command to build a new GKE cluster.

    $ terraform apply -auto-approve
    
  4. Connect to the GKE cluster.

    $ gcloud container clusters get-credentials $(terraform output gcp_cluster_name) \
            --zone $(terraform output gcp_zone) \
            --project $(terraform output gcp_project)
    
  5. Get the cluster information.

    $ kubectl cluster-info
    
    Kubernetes master is running at https://198.51.100.24
    GLBCDefaultBackend is running at https://198.51.100.24/api/v1/namespaces/...
    ...
    

    NOTE: If you don't have the gcloud command line tool installed, follow the online documentation.

  6. Copy the Kubernetes master address (https://198.51.100.24 in this example).

  7. In the /vault-agent-k8s-demo/setup-k8s-auth.sh file, replace Line 48 to point to the GKE cluster address rather than export K8S_HOST=$(minikube ip). Also, replace Line 54 to point to the correct host address.

    Example:

    setup-k8s-auth.sh
    ...
    # Set K8S_HOST to minikube IP address
    # export K8S_HOST=$(minikube ip)
    export K8S_HOST="https://198.51.100.24"
    
    # Enable the Kubernetes auth method at the default path ("auth/kubernetes")
    vault auth enable kubernetes
    
    # Tell Vault how to communicate with the Kubernetes (Minikube) cluster
    # vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="https://$K8S_HOST:8443" kubernetes_ca_cert="$SA_CA_CRT"
    vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="$K8S_HOST" kubernetes_ca_cert="$SA_CA_CRT"
    ...
    
  8. Set the working directory to where scripts are located (learn-vault-agent/vault-agent-k8s-demo).

    $ cd ..
    
  9. Create a service account, vault-auth.

    $ kubectl create serviceaccount vault-auth
    
  10. Update the vault-auth service account with definition provided in the vault-auth-service-account.yaml file.

    $ kubectl apply --filename vault-auth-service-account.yaml
    
  11. Setup the Kubernetes auth method on the Vault server.

    $ ./setup-k8s-auth.sh
    
  12. Resume with the determine the Vault address step and on.

Help and reference

  • Blog post: Why Use the Vault Agent for Secrets Management?
  • Video: Streamline Secrets Management with Vault Agent and Vault 0.11
  • Secure Introduction of Vault Clients
  • Vault Agent Auto-Auth
  • Kubernetes Auth Method
  • Kubernetes Auth Method (API)
  • Vault Kubernetes Workshop on Google Cloud Platform
  • Kubernetes Tutorials
  • Consul Template

Other Vault Agent tutorials:

  • Vault Agent Templates
  • Vault Agent Caching
  • Vault Agent Windows Service
  • Read Secrets From Vault Using Vault Agent
  • Using HashiCorp Vault Agent with .NET Core
 Previous
 Next

This tutorial also appears in:

  •  
    8 tutorials
    Vault Agent
    Use Vault Agent to authenticate and read secrets from Vault with little to no change in your application code.
    • Vault
  •  
    14 tutorials
    Auth Methods
    Vault clients must authenticate with Vault first and acquire a valid token. Learn available auth methods.
    • Vault

On this page

  1. Vault Agent with Kubernetes
  2. Challenge
  3. Solution
  4. Prerequisites
  5. Start a Vault server
  6. Create a service account
  7. Configure Kubernetes auth method
  8. Determine the Vault address
  9. Start Vault Agent with Auto-Auth
  10. Azure Kubernetes Service Cluster
  11. Google Kubernetes Engine Cluster
  12. Help and reference
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)