An authentication provider for Kubernetes that reads access tokens from Vault for Google Kubernetes Engine (GKE) or Elastic Kubernetes Service (EKS).
Get prebuilt binary from release page
# Make it executable
chmod +x vault-k8s-helperRead access tokens from Vault to authenticate with Kubernetes
USAGE:
vault-k8s-helper [OPTIONS] <type> <path>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
--eks-cluster <eks_cluster>
Name of the EKS cluster. Required if type is `eks`
--eks-expiry <eks_expiry>
Specifies the Expiry duration in number of seconds for the Kubernetes Token.
--eks-region <eks_region>
Region of AWS to use. Defaults to the Global Endpoint
--eks-role-arn <eks_role_arn>
The ARN of the role to assume if the AWS Secrets Engine role is configured with multiple roles
--eks-ttl <eks_ttl>
Specifies the TTL for the use of the STS token.
--output <output>
Change to path to output the credentials to. Defaults to `-` which is stdout [default: -]
--vault-address <vault_address>
Specifies the Vault Address to connect to. Include the scheme and port. Can be provided by the `VAULT_ADDR`
environment variable as well
--vault-ca-cert <vault_ca_cert>
Specifies a path to the PEM encoded CA Certificate for Vault. Can be provided by the `VAULT_CACERT`
environment variable as well
--vault-token <vault_token>
Specifies the Vault token to use with Vault. Can be provided by the `VAULT_TOKEN` environment variable as
well
--vault-token-file <vault_token_file>
Specifies a path to Vault token to read from and use with Vault.
ARGS:
<type>
Type of credentials to read [possible values: gke, eks]
<path>
Path to read from Vault
You have to configure Vault's Google Cloud Secrets Engine first with an appropriate access token roleset.
VAULT_TOKEN="s.xxx" \
VAULT_ADDR="https://vault.service.consul:8200" \
VAULT_CACERT=/path/to/ca \
vault-k8s-helper gke gcp/token/rolesetYou have to configure Vault's AWS Secrets Engine with an appropriate role. Any role type should work.
VAULT_TOKEN="s.xxx" \
VAULT_ADDR="https://vault.service.consul:8200" \
VAULT_CACERT=/path/to/ca \
vault-k8s-helper eks --eks-cluster my_cluster aws/creds/role{ "token_expiry": "2019-03-01T08:09:32Z", "token": "ya29.c.<REDACTED>" }{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"spec": {},
"status": {
"token": "k8s-aws-v1.<redacted>"
}You have to use a real Vault server with a configured Google Cloud Secrets Engine access token roleset and AWS Secrets Engine Role.
Provide the usual environment variables plus:
GCP_PATHfor the path to a GCP Secrets Engine credential endpoint for a token RolesetAWS_PATHfor the path to a AWS Secrets Engine credential endpoint for a role
The following template for Kube Config would work well.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <K8S-CA>
server: <K8S-URL>
name: deploy
contexts:
- context:
cluster: deploy
user: deploy
name: deploy
current-context: deploy
kind: Config
preferences: {}
users:
- name: deploy
user:
auth-provider:
config:
cmd-args: >-
--vault-token-file=/path/to/vault/token
--vault-address=https://vault.service.consul:8200
--vault-ca-cert=/path/to/cert
gke gcp/token/roleset
cmd-path: /bin/path/to/vault-k8s-helper
expiry-key: '{.token_expiry}'
token-key: '{.token}'
name: gcpapiVersion: v1
clusters:
- cluster:
certificate-authority-data: <K8S-CA>
server: <K8S-URL>
name: deploy
contexts:
- context:
cluster: deploy
user: deploy
name: deploy
current-context: deploy
kind: Config
preferences: {}
users:
- name: deploy
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- eks
- --eks-cluster=my-cluster
- --vault-token-file=/path/to/vault/token
- --vault-address=https://vault.service.consul:8200
- --vault-ca-cert=/path/to/cert
- aws/creds/role
command: /bin/path/to/vault-k8s-helper