Is it possible to inject Vault token to AWS EMR Cluster nodes?


Is it possible to provide Vault token to EC2 instances initiated by EMR cluster?

The flow: Each time EMR create a new EC2 instance - we need automatically setup Vault Agent on it… So, what will be the best way to provide RoleID and SecretID for agent configuration?


I had to interact with vault using an EMR cluster recently, I didn’t really want to make a custom AMI to put vault on the instances (plus I would have had DNS issues) so I followed this gist:

Using the python2 code (as boto3 wasn’t installed by default on python3), I used this to get a vault token for my EMR instances (from an AWS backed vault role) via a bash script I wrote, I could then use the vault token with curl to interact with vault.