Vault injector and environment variable export

Hello,

We try to inject a dynamic aws credentials in our pod.

Here the configuration:

   annotations:
     vault.hashicorp.com/agent-inject: "true"
     vault.hashicorp.com/agent-inject-command-awscreds: source /vault/secrets/awscreds
     vault.hashicorp.com/agent-inject-secret-awscreds: aws_ctops/creds/kafkaconnect
     vault.hashicorp.com/agent-inject-template-awscreds: |
             {{ with secret "aws_ctops/creds/kafkaconnect" -}}
             export AWS_ACCESS_KEY_ID={{ .Data.access_key }}
             export AWS_SECRET_ACCESS_KEY={{ .Data.secret_key }}
             {{- end }}
     vault.hashicorp.com/ca-cert: /vault/tls/pathofthecertfile
     vault.hashicorp.com/role: kafkaconnect
     vault.hashicorp.com/tls-secret: nameOfSecret

So the pod is up and running, the file is present, and the content valid.
But the command seems to not be executed. Or maybe not in the good place.

kubectl -n appnamsespace exec -it kafkaconnect-xxxxxx -c kafka-connect-connectors-creator -- env | grep -i aws

The output is empty… If I check an environment variable set in the ENV section of the deployment, I get the output.
The other thing that let us think its doesn’t work, it that our S3 connector is not working.

I try few things like “. /vault/secrets/awscreds”, “/bin/sh -c . /vault/secrets/awscreds” and other things… without any success for now.

Have you any idea why and how we can do export the variable from the vault injector command ?

Thanks for your help !

Hello !

So we find the solution !

The problem with Kafka-connect is that it create 2 containers.

The first one: kafka-connect-connector-creator.
This one have a command parameters in the deployment. So its was easy to apply the example from Hashicorp (1)

command:
- /bin/sh
- -c
- . /vault/secrets/awscreds; /etc/init-connectors-config/create-connectors-job.sh

But the second container was the problem: kafka-connect-server
This one need the AWS credentials too at the execution.

But this deplyment doesn’t have any command or args parameters that give what command is run at boot.

So the solution was to use “docker inspect” to find the different command executed by kafka-connect, and find out that this was the command:
/etc/confluent/docker/run

Then, we just add the command parameter to override the startup command by just adding the same source command as before.

And boom. Each kafka-connect containter can now start with the exported AWS credentials. So the app is using dynamic AWS credentials !

Hope it can help.

(1) Vault Agent Sidecar Injector Examples | Vault by HashiCorp