Need to understand why vault stores secrets in plain text inside pods at client side

Hello Team,

I was going through the following doc Injecting Secrets into Kubernetes Pods via Vault Agent Containers | Vault | HashiCorp Developer to perform a quick POC on the vault agent to understand how the secrets are being retrieved and stored inside PODS.

During the POC, I noticed the secrets are stored as plain text inside a file:

cat /vault/secrets/database-config.txt
data: map[password:db-secret-password username:db-readonly-username]
metadata: map[created_time:2023-01-09T10:55:01.724393424Z custom_metadata: deletion_time: destroyed:false version:1]

Is there something I am missing here? The secrets should be encrypted at rest on the client side as well right?

Are there any configuration settings available to achieve this?

Thanks & Regards,

No. The design goal of that doc you linked is to expose secrets to the pod in a way that it can just read them from a simple file.

Hi maxb,

Thank you for the reply.
I understand from the comment that the doc is written to explain one of the use-case of the vault-agent.

We need to know, are there ways to encrypt secrets inside pods using vault agent?

Looking forward to get more details on this.


You might be interested in this part of the docs: Vault Agent Auto-Auth | Vault | HashiCorp Developer, but I imagine for most people this is just not worth the effort.

Do remember that if you’re already inside the pod, you can probably steal credit that will let you impersonate the pod to the Vault server anyway…