Goal: A Kubernetes Pod can automatically fetch secrets from Vault using Kubernetes ServiceAccount authentication (no static tokens).
🌟 High-Level Flow
- Install Vault on Kubernetes
- Initialize & unseal Vault (Dev mode auto-unsealed)
- Enable Kubernetes Auth
- Configure Vault to trust Kubernetes
- Create a Vault policy
- Create a Kubernetes ServiceAccount
- Map Kubernetes SA → Vault role
- Deploy a Pod that auto-fetches secrets from Vault
- Verify secrets are injected inside the pod
📌 Prerequisites
✔ GKE cluster running
✔ kubectl configured
✔ helm installed (Cloud Shell already has it)
🧰 STEP 1 — Install Vault on Kubernetes
Add HashiCorp Helm repo
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
Create namespace
kubectl create namespace vault
Install Vault in dev mode (auto-unseal)
helm install vault hashicorp/vault \
--namespace vault \
--set "server.dev.enabled=true"
Check pod:
kubectl get pods -n vault
You should see:
vault-0 Running
🧰 STEP 2 — Exec into Vault Pod
kubectl exec -it vault-0 -n vault -- /bin/sh
Set Vault address inside pod:
export VAULT_ADDR="http://127.0.0.1:8200"
Check status:
vault status
🧰 STEP 3 — Enable Kubernetes Authentication
Inside the Vault pod:
vault auth enable kubernetes
🧰 STEP 4 — Configure Kubernetes Auth Method
Vault needs:
- Token reviewer JWT
- Kubernetes API server URL
- Kubernetes CA cert
Inside the pod:
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://${KUBERNETES_PORT_443_TCP_ADDR}:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
This will work now because you're inside a Kubernetes pod.
🧰 STEP 5 — Create a Secret in Vault
Inside Vault pod:
vault kv put secret/myapp username="admin" password="P@ssw0rd123"
Verify:
vault kv get secret/myapp
🧰 STEP 6 — Create Vault Policy
Create a file inside Vault pod:
cd /tmp
cat <<EOF > myapp-policy.hcl
path "secret/data/myapp" {
capabilities = ["read"]
}
EOF
Load the policy:
vault policy write myapp-policy /tmp/myapp-policy.hcl
🧰 STEP 7 — Create Kubernetes ServiceAccount
Exit the Vault pod:
exit
Create SA in default namespace:
kubectl create sa myapp-sa
🧰 STEP 8 — Create Vault Role that maps SA → Policy
Go back into Vault pod:
kubectl exec -it vault-0 -n vault -- /bin/sh
export VAULT_ADDR="http://127.0.0.1:8200"
Now create the role:
vault write auth/kubernetes/role/myapp-role \
bound_service_account_names="myapp-sa" \
bound_service_account_namespaces="default" \
policies="myapp-policy" \
ttl="24h"
🧰 STEP 9 — Deploy Application That Fetches Secrets Automatically
Outside Vault pod.
Create a deployment using Vault Agent injector.
Create a file:
cat <<EOF > myapp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "myapp-role"
vault.hashicorp.com/agent-inject-secret-mysecret: "secret/myapp"
spec:
serviceAccountName: myapp-sa
containers:
- name: myapp
image: nginx
EOF
Apply:
kubectl apply -f myapp.yaml
🧪 STEP 10 — Verify Vault Injected Secrets
Wait for pod:
kubectl get pods
Get the pod name:
myapp-xxxxxxxx
Exec into it:
kubectl exec -it myapp-xxxxx -- /bin/sh
List injected secrets:
ls /vault/secrets
You should see:
mysecret
View content:
cat /vault/secrets/mysecret
You will see:
{
"username": "admin",
"password": "P@ssw0rd123"
}
🎉 SUCCESS — Kubernetes Pod securely pulled secrets from Vault!
🌟 Thanks for reading! If this post added value, a like ❤️, follow, or share would encourage me to keep creating more content.
— Latchu | Senior DevOps & Cloud Engineer
☁️ AWS | GCP | ☸️ Kubernetes | 🔐 Security | ⚡ Automation
📌 Sharing hands-on guides, best practices & real-world cloud solutions
Top comments (0)