Skip to content
Branch: master
Find file History
Latest commit b36d6e6 Aug 6, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Aug 6, 2019


Vault by Hashicorp is a tool for managing secrets. To make use of Vault as a secret backend you need to:

  1. Give your application access to Vault.
  2. Give yourself or your team access to Vault.
  3. Provide the the secrets for your application to consume.
  4. Enable Vault integration in your NAIS manifest config.

The first three requirements are covered by a pull request to the following repo: vault-iac Enabling Vault integration in a NAIS application is covered below.

NAIS manifest config

  enabled: true

This is best illustrated using an example

Given the following secrets in Vault:


The application nais-testapp deployed to the preprod-fss cluster in default namespace will get the secrets injected as files with key as filename and value as file content:

~ # ls -lt /var/run/secrets/
total 8
-rw-r--r--    1 root     root            27 Sep 19 12:19
-rw-r--r--    1 root     root            43 Sep 19 12:19 secret.yaml

~ # cat /var/run/secrets/ 
value: value1
value: value2

~ # cat /var/run/secrets/ 
  user: user
  password: password

Multiple KV stores

If you need to inject secrets from an additional KV store, you can do so by specifying the paths field.

Note that when you modify this field, the default behavior of mounting /kv/environment/zone/application/namespace to /var/run/secrets/ is no longer active, and if you need these secrets you need to specify them yourself.

  enabled: true
    - kvPath: /secret/with/custom/path
      mountPath: /path/on/filesystem
    - kvPath: /kv/preprod/fss/nais-testapp/default  # default behavior
      mountPath: /var/run/secrets/     # default behavior

Java apps

Base your Docker image on navikt/java and the secrets from Vault will by default be made available for you as environment variables.

When migrating from naisd you can name the Vault keys as they were in named in Fasit so that your application do not need to be rewritten in order to use the Vault secrets.

Native Kubernetes Secrets (only available in GCP)

When running in GCP, you also have the option of using Kubernetes Secrets directly instead of (or in combination with) Vault.

To get started using this, you simply create your secret(s). This can be either key-value pairs or files and can be exposed to the application as environment variables or files.


Create your secret

$ kubectl create secret generic my-secret --from-literal=key1=supersecret
secret/my-secret created

Refer to my-secret in nais.yaml

    - name: my-secret

And you're done. When your application is running, the environment variable key1 will have the value supersecret.

See the official Kubernetes documentation or by running kubectl create secret generic --help for more details on creating and managing your secrets.

You can’t perform that action at this time.