Injecting a token in k8s

I’ve got Vault running in Kubernetes, and I’d like to inject a token into a pod. I looked through the injector documentation but I couldn’t find anything that would work.

I have a secret store and a policy for it:

vault secrets enable -path=my-secrets kv
vault policy write my-policy - <<EOF
path "my-secrets/*" {
    capabilities = ["read"]

Now I would generate a token under this policy:

vault token create -policy=my-policy

This is the type of token I need to inject into my pod, as the service running in the pod needs access to Vault itself, not specific secrets.

Ideally renewals would be handled automatically (which is the main reason I’m asking, as tokens have a max TTL of 32 days so I can’t just write it manually as a Secret in k8s).

Can you provide a little more detail around your scenario particularly what your pod needs to do?

Barring that, my first thought is that you should have a look at the Kubernetes auth method as this would eliminate the need for a static token to be dropped in your pod for authentication purposes. Also consider leveraging the “period” parameter in the auth role creation which would enable you to setup a Vault role that can stay logged in as long as the pod is up and running and communicating with Vault.

For secret retrieval/interaction you could leverage the CSI provider.

Hopefully this helps!