Vault Authentication via Kubernetes Service Account

Gives a kubernetes service account in an EKS cluster access to an Vault role through the ServiceAccount token.

This allows our Kubernetes pods to utilize the Vault API without static credentials.

Providers

The following providers are needed by this module:

vault (3.25.0)

Required Inputs

The following input variables are required:

service_account

Description: The name of the service account that should be able to assume the AWS permissions.

Type: string

service_account_namespace

Description: The namespace of the service account.

Type: string

vault_policy_hcl

Description: The HCL of the policy document to assign to this Vault role.

Type: string

Optional Inputs

The following input variables are optional (have default values):

audience

Description: The audience claim in the ServiceAccount JWT

Type: string

Default: null

token_ttl_seconds

Description: The maximum token lifetime in seconds

Type: number

Default: 28800

Outputs

The following outputs are exported:

role_name

Description: The name of the Vault auth role

Usage

IP Whitelisting

By default, this module's IRSA authentication will only work when the service account token is presented from an IP address inside the cluster (this also includes the cluster's public NAT IPs).

This limits the usefulness of tokens that are extracted from the cluster by an attacker.

The underlying discovery mechanism for the whitelist defaults works by searching for resource tags assigned in the aws_vpc and aws_eks modules. If you need additional IPs or don't use those modules, you must manually specify those IPs via the ip_allow_list variable.