search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.08k stars 878 forks source link

add podAnnotations: #262

Open jmturwy opened 4 years ago

jmturwy commented 4 years ago

I'd love to use my kiam and AWS roles to auto-unseal with the chart. this would allow my pod to use my aws role instead of using IAM user client and secrets

Example: podAnnotations: iam.amazonaws.com/role: k8s_vault

silverbp commented 4 years ago

you can add the annotation to the service account via this..

  serviceAccount:
    annotations:
      |
      "eks.amazonaws.com/role-arn": "${aws_role_arn}"

but it doesn't work, I don't think it has to do with the helm chart, I don't think the vault docker image is reading the environment variables and the token that are getting injected, cause when I do the above, I get the proper environment variables set, but vault errors out (no access) because it's using the node arn role when it should be using the arn that's assigned above.

silverbp commented 4 years ago

If you do something like this.. in the pod ahead of time.. https://github.com/aws/aws-cli/issues/4477

I assume this will work..