The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.

Using HashiCorp Vault on GKE on AWS

HashiCorp Vault is a third-party secrets management solution that integrates with Kubernetes and GKE on AWS.

You can deploy Vault on GKE on AWS using:

HashiCorp's official Helm chart
Vault on GKE, which is installed with Terraform.

You can access Vault secrets inside pods using the Agent Sidecar injector. The injector is a Kubernetes Mutating Webhook Controller. The controller intercepts Pod events and updates the Pod's configuration.

The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with a policy granting access to the secrets.

Once configured, you can request secrets by annotating a Pod.

The following snippet includes annotations that you would add to a Pod. If the myapp role has access to Secret secret/banana, Vault mounts it at /vault/secrets/apple.

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-apple: "secrets/banana"
        vault.hashicorp.com/role: "myapp"

You can apply this configuration:

To a Pod with kubectl edit pod/pod-name.
To a Deployment with kubectl edit deployment/deployment-name.

What's next

Read the Vault Injector documentation.
Review the vault-k8s GitHub repository.