Skip to content
A #basic demo for utilizing Vault as a secrets storage mechanism for Kubernetes
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


A basic setup of a single vault server and a single node kubernetes server to learn how vault secret storage and retrieval works.

Initial setup of Vault and Kubernetes (minikube)

vault server -dev -dev-listen-address= --dev-root-token-id=root
export VAULT_ADDR=''
vault login token=root
vault auth enable kubernetes
vault secrets enable -version=2 kv
minikube start

kubectl create serviceaccount vault-tokenreview
kubectl create serviceaccount phil
kubectl create serviceaccount phil-secret-writer
kubectl apply -f vault-binding.yml

Gather a token from the kubernetes token reviewer API and extract the JWT which will be used to authenticate with Vault

KUBE_TOKEN="$(kubectl get secrets | grep vault-tokenreview | awk '{print $1}')"
JWT="$(kubectl get secret ${KUBE_TOKEN} -o jsonpath='{.data.token}' | base64 -d | tr -d '\n')"
K8S_HOST="$(echo -n 'https://'; minikube ip | tr -d '\n'; echo ':8443')"

vault write auth/kubernetes/config \
    token_reviewer_jwt="${JWT}" \
    kubernetes_host="${K8S_HOST}" \

Create policies for a "reader" container and a "writer" container

vault write sys/policy/demo-policy policy=@policies/demo-policy.hcl
vault write sys/policy/secret-writer-policy policy=@policies/secret-writer-policy.hcl

Bind a kubernetes role to a vault role and policy

vault write auth/kubernetes/role/demo-role \
    bound_service_account_names=phil \
    bound_service_account_namespaces=default \
    policies=demo-policy \

vault write auth/kubernetes/role/secret-writer-role \
    bound_service_account_names=phil-secret-writer \
    bound_service_account_namespaces=default \
    policies=secret-writer-policy \

Show vault role output to verify that the specified policies have been applied

vault read auth/kubernetes/role/demo-role
vault read auth/kubernetes/role/secret-writer-role

Write a new secret from a different client container

kubectl apply -f secret-writer.yml

Read the secrets from a client container

kubectl apply -f secret-reader.yml


The Dualers - Treasure

You can’t perform that action at this time.