Vault K8s Injector multiple roles

pavan189907.kumar · May 31, 2022, 2:29pm

Hi,

Is it possible to have multiple roles as annotations? I would want to use one vault role to get secrets and another to get a vault token. Is it something possible or Is there any workaround for that?

maxb · May 31, 2022, 2:39pm

The injector/agent setup only supports one authenticated session with a Vault, so no.

You might consider using the injector only for the injected secrets, and logging in to Vault to get a token directly within your app code.

Logging in to Vault using Kubernetes auth is as simple as reading your Kubernetes service account token from /var/run/secrets/kubernetes.io/serviceaccount/token and sending it to the login API - Kubernetes - Auth Methods - HTTP API | Vault by HashiCorp

pavan189907.kumar · May 31, 2022, 4:30pm

Umm, I was maybe thinking we can use this annotation
( Agent Sidecar Injector Annotations | Vault by HashiCorp ) and then do the vault login command?

maxb · May 31, 2022, 4:37pm

If you did, you’d be using the injector simply to run a command - at which point, why even use the injector for that?

Look carefully at the documentation for that option - it doesn’t cause the output of the command to be written to the secret.

Also, do you need expiry handling for this token? Running a command as a side effect of populating a different secret is not going to give you that.

pavan189907.kumar · May 31, 2022, 4:42pm

Umm, Yes !! Couldnt agree more. Thank you !!

borysmarceloherrera · June 16, 2023, 5:45pm

What one can do is:

create a ROLE that points to multiple POLICIES
point that role in the deploymentConfig yml vault.hashicorp.com/role: MY_ROLE

inject multiple secrets in the deploymentConfig yml

  vault.hashicorp.com/agent-inject: 'true'
  vault.hashicorp.com/agent-inject-secret-MYSECRET1.properties: secretorgroot/data/MYSECRET1
   vault.hashicorp.com/agent-inject-secret-MYSECRET2.properties: secretorgroot/data/MYSECRET2
  vault.hashicorp.com/agent-inject-template-MYSECRET1: |
    {{- with secret "secretorgroot/data/MYSECRET1" -}} 
       {{ base64Decode .Data.data.MY_KEY }} 
    {{- end -}}
  vault.hashicorp.com/agent-inject-template-MYSECRET2.properties: >
    {{- with secret "secretorgroot/data/MYSECRET2" -}} 
    {{ range $k, $v := .Data.data }}
      {{ $k }}={{ $v }}
    {{ end }}  
    {{- end -}}
  vault.hashicorp.com/role: MY_ROLE