Using AWS instance profiles or IAM policies for awskms unseal and s3 storage

I’m looking to run the vault in an EKS cluster and would like to use the awskms unseal feature and s3 for storage. The documentation seems to require putting an AWS API key in the vault configuration file. Is it possible to use and AWS instance profile for the node that the vault is running on or and IAM Role associated with the vault’s ServiceAccount instead?

Unless those worker nodes are dedicated to Vault it would be dangerous to give the whole instance access to the KMS.

Yes, it is doable, but I would advise against it … but then if you don’t have a choice and can’t generate IAM credentials you may have to do it and just taint the nodes. Without tainting than you would have to give “all” of the nodes the same profile and access (READ ONLY ACCESS) to the KMS key.

Yes I see your point. I will have to do it through the ServiceAccount, API Keys and environment variables, i guess.