Enhancing Security in Amazon EKS with HashiCorp Vault

Introduction

As organizations migrate their applications to Kubernetes, managing secrets securely becomes crucial. HashiCorp Vault is a popular open-source tool that provides secrets management, encryption, and access control. When deployed in Amazon Elastic Kubernetes Service (EKS), Vault ensures that sensitive data such as API keys, passwords, and certificates are securely stored and accessed only by authorized applications and users.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Objective

To demonstrate how to deploy HashiCorp Vault on Amazon EKS and manage secrets securely.

Understanding HashiCorp Vault

HashiCorp Vault is an open-source tool to manage secrets and protect sensitive data. It offers:

Secure storage with encryption
Dynamic secrets management
Access control using policies
Audit logging for compliance
Integration with multiple authentication methods

Vault operates in client-server mode and can be deployed in different architectures, such as standalone, HA (High Availability), or integrated with cloud services like AWS.

Why Use HashiCorp Vault in Amazon EKS?

Deploying Vault in Amazon EKS provides:

Centralized secrets management for Kubernetes applications
Secure dynamic secrets generation (e.g., AWS IAM credentials, database credentials)
Kubernetes-native authentication for seamless integration
Encryption-as-a-service for protecting application data
Automated secrets rotation and revocation

Deployment Architecture

Vault can be deployed in Amazon EKS using different methods:

Standalone Deployment: For testing and non-production use cases
HA Deployment with Integrated Storage: Uses Raft storage for high-availability
HA Deployment with External Storage: Uses Amazon S3, Amazon DynamoDB, or Consul for durability

A typical Vault setup in Amazon EKS includes:

A Vault StatefulSet for running Vault instances
Persistent Volume Claims (PVCs) for storing secrets securely
Service Accounts & RBAC policies for authentication
Vault Agent Injector for automatic secret injection into pods

Installing and Configuring Vault on Amazon EKS

Prerequisites

AWS Account: Access to create Amazon EKS clusters.
Tools:
- kubectl configured for your Amazon EKS cluster.
- AWS CLI installed and configured.
- Helm installed.

Step 1: Set Up Amazon EKS Cluster

Create an Amazon EKS Cluster: We can create an Amazon EKS cluster using the AWS Management Console or AWS CLI. Here’s an example using AWS CLI:

aws eks create-cluster --name my-eks-cluster --role-arn <EKS-Role-ARN> --resources-vpc-config subnetIds=<subnet1>,<subnet2>,securityGroupIds=<sg>

1	aws eks create-cluster --name my-eks-cluster --role-arn <EKS-Role-ARN> --resources-vpc-config subnetIds=<subnet1>,<subnet2>,securityGroupIds=<sg>

Update kubeconfig: After the cluster is created, configure kubectl:

aws eks update-kubeconfig --name my-eks-cluster

1	aws eks update-kubeconfig --name my-eks-cluster

Step 2: Install Helm

Helm is used to deploy the vault into Kubernetes.

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 |     bash

1	curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \| bash

Step 3: Deploy the HashiCorp Vault

Add the HashiCorp Helm Repository: This will allow us to use the official vault helm chart.

helm repo add hashicorp https://helm.releases.hashicorp.com

helm repo update

helm repo add hashicorp https://helm.releases.hashicorp.com

helm repo update

Install HashiCorp Vault: Deploy Vault in “dev” mode for testing:

helm install vault hashicorp/vault --set "server.dev.enabled=true"

1	helm install vault hashicorp/vault --set "server.dev.enabled=true"

Check Deployment: Verify the pods are running:

kubectl get pods

1	kubectl get pods

Step 4: Initialize and Unseal Vault

After deploying Vault, initiate it and store the unseal keys and root token. Connect to the Vault pod

Access the Vault Pod:

kubectl exec -it <vault-pod-name> -- /bin/sh

1	kubectl exec -it <vault-pod-name> -- /bin/sh

Capture the unseal keys and root token.

Initialize Vault: Inside the pod:

vault operator init

1	vault operator init

Store the unseal keys and root token securely.

Unseal Vault: Use the provided unseal keys:

vault operator unseal <unseal-key-1>
vault operator unseal <unseal-key-2>
vault operator unseal <unseal-key-3>

4. Login to Vault:

vault login <root-token>

1	vault login <root-token>

Step 5: Store and Retrieve Secrets:

Store a Secret:

vault kv put secret/myapp username="myuser" password="mypassword"

1	vault kv put secret/myapp username="myuser" password="mypassword"

Retrieve a Secret:

vault kv get secret/myapp

1	vault kv get secret/myapp

Step 6: Integration with Kubernetes

Vault’s Kubernetes agent injector can inject secrets into my Kubernetes applications.

Enable Kubernetes Auth Method:

vault auth enable kubernetes

1	vault auth enable kubernetes

Configure the Kubernetes Auth Method: Write the configuration with your Kubernetes details:

vault write auth/kubernetes/config \

token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \

kubernetes_host="https://<KUBERNETES_API>" \

kubernetes_ca_cert="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"

vault write auth/kubernetes/config \

token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \

kubernetes_host="https://<KUBERNETES_API>" \

kubernetes_ca_cert="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"

Create a Policy: Define a policy to allow access to the secrets:

path "secret/myapp" {

    capabilities = ["read", "list"]

}

path "secret/myapp" {

capabilities = ["read", "list"]

}

Create a Kubernetes Service Account:

.yaml

  apiVersion: v1 
 kind: ServiceAccount 
 metadata: 
   name: vault-auth

apiVersion: v1

kind: ServiceAccount

metadata:

name: vault-auth

Bind the Policy to the Service Account:

vault write auth/kubernetes/groups/myapp policies=myapp-policy

1	vault write auth/kubernetes/groups/myapp policies=myapp-policy

Step 7: Use Vault in Your Applications

Deploy an application to Access Secrets:

Create a Kubernetes service account and deploy a pod using that service account. The pod will authenticate with the vault and retrieve secrets.
Deploy the app using the Vault agent to retrieve secrets:

.yaml

apiVersion: v1
kind: pod
metadata: 
  name: vault-agent-example
  labels:
    app: vault-agent-example
spec:
  serviceAccountName: exmple-service-account
  containers:
    - name: vault-agent-example
      image: nginx
      volumeMounts: 
        - name: vault-secrets
          mountPath: /etc/secrets
volumes: 
  - name: vault-secrets
    emptyDir: {}
    secret: 
      secretName: example-secret

apiVersion: v1

kind: pod

metadata:

name: vault-agent-example

labels:

app: vault-agent-example

spec:

serviceAccountName: exmple-service-account

containers:

- name: vault-agent-example

image: nginx

volumeMounts:

- name: vault-secrets

mountPath: /etc/secrets

volumes:

- name: vault-secrets

emptyDir: {}

secret:

secretName: example-secret

Conclusion

HashiCorp Vault provides a solution for securing secrets in an Amazon EKS environment. Applications can securely retrieve secrets by integrating Vault with Kubernetes authentication without exposing credentials in environment variables or configuration files.

Automating secret management in Kubernetes enhances security, compliance, and operational efficiency. This guide helps set up a basic Vault deployment in Amazon EKS. Still, organizations should further explore Vault features like auto-unseal with AWS KMS, dynamic secrets, and advanced access controls for production use.

Drop a query if you have any questions regarding HashiCorp Vault and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Why should I use HashiCorp Vault in Amazon EKS instead of Kubernetes Secrets?

ANS: – Kubernetes Secrets are stored in etcd, which requires manual encryption setup and lacks strong access control, audit logging, and rotation capabilities. Vault provides:

Automatic encryption at rest.
Granular access control with Vault Policies.
Audit logs for every access.
Dynamic secrets and automated rotation.

2. What are the recommended deployment best practices for Vault in Amazon EKS?

ANS: – Deploy Vault using Helm.

Use Auto Unseal with AWS KMS.
Enable Audit Logs and forward them to Amazon CloudWatch or a log aggregator.
Use IRSA for pods accessing Vault.
Run Vault in HA mode across multiple availability zones.
Apply Vault Policies to control who can access which secrets.

WRITTEN BY Gopinatha N

Gopinath works as a Senior Research Associate at CloudThat, with experience focused on helping clients migrate to cloud-native environments and modernize their infrastructure. He is skilled in AWS, Azure, Docker, Kubernetes, and Terraform, with a strong background in automating deployments using Jenkins and AWS CodePipeline. Passionate about containerization, CI/CD, and building scalable, secure, and efficient systems, Gopinath is a motivated and dedicated professional who thrives in environments that encourage continuous learning and innovation.