Write secrets from pod using agent-sidecar?


We use vault-agent sidecars to access secrets from pods (kubernetes).

More specifically I have a node.js application that needs to be able to read and write secrets. Auth is done using kubernetes auth and a service account for the pod. This works perfectly for reading/mounting secrets using annotations.

How would I go about writing secrets. Can I somehow use the sidecar for this? Or would I simply post/patch/update directly to the vault api? If so, do I just use the service account token for auth?

Thank you for reading my question!

  • Daniel

If you are already running a Vault agent, with listener and cache blocks in its configuration, then yes, the listener can proxy writes for you in the same way it does reads.