The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.
You can access Vault secrets inside pods using the Agent Sidecar injector. The
injector is a
Kubernetes Mutating Webhook Controller.
The controller intercepts Pod events and updates the Pod's configuration.
The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the
Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with
a policy granting access to the secrets.
Once configured, you can request secrets by annotating a Pod.
The following snippet includes annotations that you would add to a Pod.
If the myapp role has access to Secret secret/banana, Vault
mounts it at /vault/secrets/apple.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Using HashiCorp Vault on GKE on AWS\n\n[HashiCorp Vault](https://www.vaultproject.io/) is a third-party\nsecrets management solution that integrates with Kubernetes and\nGKE on AWS.\n| **Note:** This section is not meant as an endorsement or recommendation to use HashiCorp Vault.\n\nYou can deploy Vault on GKE on AWS using:\n\n- HashiCorp's official [Helm chart](https://www.vaultproject.io/docs/platform/k8s/helm/)\n- [Vault on GKE](https://github.com/sethvargo/vault-on-gke), which is installed with Terraform.\n\nYou can access Vault secrets inside pods using the Agent Sidecar injector. The\ninjector is a\n[Kubernetes Mutating Webhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).\nThe controller intercepts Pod events and updates the Pod's configuration.\n\nThe Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the\nVault Kubernetes Auth method. The KSA account must be bound to a Vault role with\na policy granting access to the secrets.\n\nOnce configured, you can request secrets by annotating a Pod.\n\nThe following snippet includes annotations that you would add to a Pod.\nIf the `myapp` role has access to Secret `secret/banana`, Vault\nmounts it at `/vault/secrets/apple`. \n\n spec:\n template:\n metadata:\n annotations:\n vault.hashicorp.com/agent-inject: \"true\"\n vault.hashicorp.com/agent-inject-secret-apple: \"secrets/banana\"\n vault.hashicorp.com/role: \"myapp\"\n\nYou can apply this configuration:\n\n- To a Pod with `kubectl edit pod/`\u003cvar translate=\"no\"\u003epod-name\u003c/var\u003e.\n- To a Deployment with `kubectl edit deployment/`\u003cvar translate=\"no\"\u003edeployment-name\u003c/var\u003e.\n\nWhat's next\n-----------\n\n- Read the [Vault Injector](https://www.vaultproject.io/docs/platform/k8s/injector/) documentation.\n- Review the [vault-k8s GitHub repository](https://github.com/hashicorp/vault-k8s)."]]
