Access Vault Cluster created in Vault Cloud from pod in GKE

I have created a vault cluster using vault cloud and need to inject the secret from the pod deployed in a GKE cluster. Pls suggest on how to proceed.
I am using environment variables in the deployment manifest file:

  • name: VAULT_ADDR
  • name: VAULT_TOKEN

But this does not seem to connect.
I get the error:
2021-06-15T16:17:49.778Z [ERROR] auth.handler: error authenticating: error=“context deadline exceeded” backoff=32.36s

Pls suggest.

Hi @ayush.kumar1, deadline exceeded sounds like it’s likely a network connectivity issue to me. Is the VAULT_ADDR URL available over the public internet?

I think we only support AWS regions for HVNs at the moment, so to access your HCP Vault cluster (which is in an AWS region) from GKE, it would need to be over a public internet URL. Although note that exposing your Vault cluster to the public internet is “Not recommended for production clusters or services”, as per the option in the HCP portal. Sorry it’s probably not the answer you were looking for!

Hi @tomhjp : If I enable VAULT_ADDR over public internet, do I need to hardcode the VAULT_TOKEN as environment variables in the manifest file to access the VAULT_ADDR ?

You’ll still have all of the normal auth methods available to you, including token if that’s what you choose. Kubernetes auth is generally going to be a better fit within a GKE cluster though.

You have a few options for implementing that:

  • Use the k8s auth login API directly from your pod’s application. You can use this to trade your Kubernetes service account token for a Vault token which in turn you can use to fetch Vault secrets. There are some open source Vault client libraries in a few different languages to help interact with the API.
  • Use the Vault Agent sidecar injector. Learn tutorial here.
  • Use Vault CSI Provider. Learn tutorial here.

The latter two don’t require your application to interact directly with Vault. There are some points of comparison for those two in this issue.