A new version of Anthos clusters on AWS (GKE on AWS) was released on February 3. For more information, see the release notes.

Using HashiCorp Vault on Anthos clusters on AWS

HashiCorp Vault is a third-party secrets management solution that integrates with Kubernetes and Anthos clusters on AWS.

You can deploy Vault on Anthos clusters on AWS using:

You can access Vault secrets inside pods using the Agent Sidecar injector. The injector is a Kubernetes Mutating Webhook Controller. The controller intercepts Pod events and updates the Pod's configuration.

The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with a policy granting access to the secrets.

Once configured, you can request secrets by annotating a Pod.

The following snippet includes annotations that you would add to a Pod. If the myapp role has access to Secret secret/banana, Vault mounts it at /vault/secrets/apple.

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-apple: "secrets/banana"
        vault.hashicorp.com/role: "myapp"

You can apply this configuration:

  • To a Pod with kubectl edit pod/pod-name.
  • To a Deployment with kubectl edit deployment/deployment-name.

What's next