Injecting a token in k8s

hashicorp6 · July 13, 2021, 4:31pm

I’ve got Vault running in Kubernetes, and I’d like to inject a token into a pod. I looked through the injector documentation but I couldn’t find anything that would work.

I have a secret store and a policy for it:

vault secrets enable -path=my-secrets kv
vault policy write my-policy - <<EOF
path "my-secrets/*" {
    capabilities = ["read"]
}
EOF

Now I would generate a token under this policy:

vault token create -policy=my-policy

This is the type of token I need to inject into my pod, as the service running in the pod needs access to Vault itself, not specific secrets.

Ideally renewals would be handled automatically (which is the main reason I’m asking, as tokens have a max TTL of 32 days so I can’t just write it manually as a Secret in k8s).

jeffsanicola · July 13, 2021, 6:11pm

Can you provide a little more detail around your scenario particularly what your pod needs to do?

Barring that, my first thought is that you should have a look at the Kubernetes auth method as this would eliminate the need for a static token to be dropped in your pod for authentication purposes. Also consider leveraging the “period” parameter in the auth role creation which would enable you to setup a Vault role that can stay logged in as long as the pod is up and running and communicating with Vault.

For secret retrieval/interaction you could leverage the CSI provider.

Hopefully this helps!

Topic		Replies	Views
Vault with csi-provider Vault	2	395	May 24, 2022
Vault Agent doesn't inject SideCar container to newly created K8S node Vault	3	1414	March 11, 2023
Can't get vault-agent-init container to get a secret from Vault Vault k8s , vault	1	3059	September 28, 2021
Vault Agent Injector Authentication (vault-k8s) Vault k8s , vault	0	321	January 4, 2023
Injecting secrets into a pod remotely Vault k8s	2	402	July 25, 2020

Injecting a token in k8s

Related topics