AWS EKS : External Secrets With Vault

Hardik Patel
4 min readApr 1, 2023

--

Managing external secrets securely is a crucial aspect of any organization’s security infrastructure. Secrets like passwords, API keys, and certificates need to be protected from unauthorized access and usage. To ensure this protection, organizations use various tools and techniques, one of which is Hashicorp Vault.

Hashicorp Vault is a popular open-source tool used for managing secrets and protecting sensitive data. It provides a secure, centralized vault for storing and accessing secrets, with fine-grained access control and auditing capabilities.

AWS EKS (Elastic Kubernetes Service) is a managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. It provides a highly available, scalable, and secure infrastructure for running containerized applications, making it a popular choice for many organizations.

Prerequisites:

  • AWS Account
  • EKS
  • aws cli , kubectl, Helm
  • vault

Follow below link to configure Hashicorp Vault,

There are 3 approaches we can use external vault in Kubernetes,

  • hard coded vault in pods
  • service and endpoints of k8s
  • vault agent injector using helm

In our article we are going to use vault injector for integration of external vault with aws EKS.

Check nodes of EKS,

kubectl get nodes

We are using Helm to install vault-agent-injector,

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --set "injector.externalVaultAddr=https://$EXTERNAL_VAULT_ADDR:8200" --set "tlsDisable=true"

Now we are going to integrate our EKS with Vault,

follow below commands , first we will collect few information that we need for authentication.

VAULT_HELM_SECRET_NAME=$(kubectl get secrets --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
TOKEN_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBEHOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

Now , we are good to go to enable authentication with EKS,

vault auth enable -path=mydemo kubernetes
vault write auth/mydemo/config \
token_reviewer_jwt="$TOKEN_JWT" \
kubernetes_host="$KUBEHOST" \
kubernetes_ca_cert="$KUBE_CERT" \
issuer="https://kubernetes.default.svc.cluster.local"

We can verify same in UI also,

Now, we will create secrets that we are going to use with our k8s pods.

vault secrets enable kv
vault kv put kv/mydemo/config username='admin' password='secret'


vault kv get kv/mydemo/config

Now , we will create policy to retrieve secrets from k8s pods,

vault policy write mydemo - <<EOF
path "kv/mydemo/config" {
capabilities = ["read"]
}
EOF

create service account in eks cluster,

kubectl create sa mydemo

create authentication role in EKS cluster,

vault write auth/mydemo/role/mydemo-role \
bound_service_account_names=mydemo \
bound_service_account_namespaces=default \
policies=mydemo \
ttl=24h

Its time to launch pod and verify our configurations.

mydemo.yaml,

apiVersion: v1
kind: Pod
metadata:
name: mydemo
labels:
app: mydemo
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-status: 'update'
vault.hashicorp.com/auth-path: 'auth/mydemo'
vault.hashicorp.com/namespace: 'default'
vault.hashicorp.com/role: 'mydemo-role'
vault.hashicorp.com/agent-inject-secret-credentials.txt: 'kv/mydemo/config'
spec:
serviceAccountName: mydemo
containers:
- name: myapp
image: nginx:latest
ports:
- containerPort: 80

Now, Verify all things,

kubectl exec -it mydemo -c myapp -- cat /vault/secrets/credentials.txt

Summary

In this blog post, we explored the integration of external secrets management tool Hashicorp Vault with AWS EKS, a popular managed Kubernetes service.

We provided a step-by-step guide on how to set up Vault and EKS, integrate them together, and use Vault to manage secrets in EKS.

If you found this guide helpful then do click on 👏 the button and also feel free to drop a comment.

Follow for more stories like this.

--

--

Responses (1)