Voiced by Amazon Polly |
Introduction
As organizations migrate their applications to Kubernetes, managing secrets securely becomes crucial. HashiCorp Vault is a popular open-source tool that provides secrets management, encryption, and access control. When deployed in Amazon Elastic Kubernetes Service (EKS), Vault ensures that sensitive data such as API keys, passwords, and certificates are securely stored and accessed only by authorized applications and users.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Objective
To demonstrate how to deploy HashiCorp Vault on Amazon EKS and manage secrets securely.
Understanding HashiCorp Vault
HashiCorp Vault is an open-source tool to manage secrets and protect sensitive data. It offers:
- Secure storage with encryption
- Dynamic secrets management
- Access control using policies
- Audit logging for compliance
- Integration with multiple authentication methods
Vault operates in client-server mode and can be deployed in different architectures, such as standalone, HA (High Availability), or integrated with cloud services like AWS.
Why Use HashiCorp Vault in Amazon EKS?
Deploying Vault in Amazon EKS provides:
- Centralized secrets management for Kubernetes applications
- Secure dynamic secrets generation (e.g., AWS IAM credentials, database credentials)
- Kubernetes-native authentication for seamless integration
- Encryption-as-a-service for protecting application data
- Automated secrets rotation and revocation
Deployment Architecture
Vault can be deployed in Amazon EKS using different methods:
- Standalone Deployment: For testing and non-production use cases
- HA Deployment with Integrated Storage: Uses Raft storage for high-availability
- HA Deployment with External Storage: Uses Amazon S3, Amazon DynamoDB, or Consul for durability
A typical Vault setup in Amazon EKS includes:
- A Vault StatefulSet for running Vault instances
- Persistent Volume Claims (PVCs) for storing secrets securely
- Service Accounts & RBAC policies for authentication
- Vault Agent Injector for automatic secret injection into pods
Installing and Configuring Vault on Amazon EKS
Prerequisites
- AWS Account: Access to create Amazon EKS clusters.
- Tools:
- kubectl configured for your Amazon EKS cluster.
- AWS CLI installed and configured.
- Helm installed.
Step 1: Set Up Amazon EKS Cluster
Create an Amazon EKS Cluster: We can create an Amazon EKS cluster using the AWS Management Console or AWS CLI. Here’s an example using AWS CLI:
1 |
aws eks create-cluster --name my-eks-cluster --role-arn <EKS-Role-ARN> --resources-vpc-config subnetIds=<subnet1>,<subnet2>,securityGroupIds=<sg> |
Update kubeconfig: After the cluster is created, configure kubectl:
1 |
aws eks update-kubeconfig --name my-eks-cluster |
Step 2: Install Helm
Helm is used to deploy the vault into Kubernetes.
1 |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash |
Step 3: Deploy the HashiCorp Vault
- Add the HashiCorp Helm Repository: This will allow us to use the official vault helm chart.
1 2 3 |
helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update |
- Install HashiCorp Vault: Deploy Vault in “dev” mode for testing:
1 |
helm install vault hashicorp/vault --set "server.dev.enabled=true" |
- Check Deployment: Verify the pods are running:
1 |
kubectl get pods |
Step 4: Initialize and Unseal Vault
After deploying Vault, initiate it and store the unseal keys and root token. Connect to the Vault pod
- Access the Vault Pod:
1 |
kubectl exec -it <vault-pod-name> -- /bin/sh |
Capture the unseal keys and root token.
- Initialize Vault: Inside the pod:
1 |
vault operator init |
Store the unseal keys and root token securely.
- Unseal Vault: Use the provided unseal keys:
- vault operator unseal <unseal-key-1>
- vault operator unseal <unseal-key-2>
- vault operator unseal <unseal-key-3>
4. Login to Vault:
1 |
vault login <root-token> |
Step 5: Store and Retrieve Secrets:
- Store a Secret:
1 |
vault kv put secret/myapp username="myuser" password="mypassword" |
- Retrieve a Secret:
1 |
vault kv get secret/myapp |
Step 6: Integration with Kubernetes
Vault’s Kubernetes agent injector can inject secrets into my Kubernetes applications.
- Enable Kubernetes Auth Method:
1 |
vault auth enable kubernetes |
- Configure the Kubernetes Auth Method: Write the configuration with your Kubernetes details:
1 2 3 4 5 6 7 |
vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://<KUBERNETES_API>" \ kubernetes_ca_cert="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)" |
- Create a Policy: Define a policy to allow access to the secrets:
1 2 3 4 5 |
path "secret/myapp" { capabilities = ["read", "list"] } |
- Create a Kubernetes Service Account:
.yaml
1 2 3 4 |
apiVersion: v1 kind: ServiceAccount metadata: name: vault-auth |
- Bind the Policy to the Service Account:
1 |
vault write auth/kubernetes/groups/myapp policies=myapp-policy |
Step 7: Use Vault in Your Applications
Deploy an application to Access Secrets:
- Create a Kubernetes service account and deploy a pod using that service account. The pod will authenticate with the vault and retrieve secrets.
- Deploy the app using the Vault agent to retrieve secrets:
.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
apiVersion: v1 kind: pod metadata: name: vault-agent-example labels: app: vault-agent-example spec: serviceAccountName: exmple-service-account containers: - name: vault-agent-example image: nginx volumeMounts: - name: vault-secrets mountPath: /etc/secrets volumes: - name: vault-secrets emptyDir: {} secret: secretName: example-secret |
Conclusion
Automating secret management in Kubernetes enhances security, compliance, and operational efficiency. This guide helps set up a basic Vault deployment in Amazon EKS. Still, organizations should further explore Vault features like auto-unseal with AWS KMS, dynamic secrets, and advanced access controls for production use.
Drop a query if you have any questions regarding HashiCorp Vault and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. Why should I use HashiCorp Vault in Amazon EKS instead of Kubernetes Secrets?
ANS: – Kubernetes Secrets are stored in etcd, which requires manual encryption setup and lacks strong access control, audit logging, and rotation capabilities. Vault provides:
- Automatic encryption at rest.
- Granular access control with Vault Policies.
- Audit logs for every access.
- Dynamic secrets and automated rotation.
2. What are the recommended deployment best practices for Vault in Amazon EKS?
ANS: – Deploy Vault using Helm.
- Use Auto Unseal with AWS KMS.
- Enable Audit Logs and forward them to Amazon CloudWatch or a log aggregator.
- Use IRSA for pods accessing Vault.
- Run Vault in HA mode across multiple availability zones.
- Apply Vault Policies to control who can access which secrets.
WRITTEN BY Gopinatha N
Comments