Using HashiCorp Vault on GKE on AWS

HashiCorp Vault is a third-party secrets management solution that integrates with Kubernetes and GKE on AWS.

You can deploy Vault on GKE on AWS using:

You can access Vault secrets inside pods using the Agent Sidecar injector. The injector is a Kubernetes Mutating Webhook Controller. The controller intercepts Pod events and updates the Pod's configuration.

The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with a policy granting access to the secrets.

Once configured, you can request secrets by annotating a Pod.

The following snippet includes annotations that you would add to a Pod. If the myapp role has access to Secret secret/banana, Vault mounts it at /vault/secrets/apple.

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-apple: "secrets/banana"
        vault.hashicorp.com/role: "myapp"

You can apply this configuration:

  • To a Pod with kubectl edit pod/pod-name.
  • To a Deployment with kubectl edit deployment/deployment-name.

What's next