Dynamic Service Account Tokens for Kubernetes with Vault

Question

Pulumi · Accepted Answer

Dynamic Service Account Tokens are a feature of Kubernetes that allow for the creation of service account tokens with a limited lifetime, which can be useful for tasks such as temporary access for debugging or automated operations pipelines. HashiCorp Vault has the ability to integrate with Kubernetes to manage these tokens securely, providing a centralized system for token generation, rotation, and revocation.

To facilitate dynamic service account tokens in a Kubernetes cluster using Vault, we'll need to perform the following steps:

Configure Vault's Kubernetes Auth Method: This involves setting up Vault to authenticate with Kubernetes. This allows Vault to verify the identity of clients based on their Kubernetes service accounts.
Create a Vault Role for Kubernetes Auth: A Vault role is created to define the access policies and token TTLs for Kubernetes service account tokens.
Configure Service Accounts in Kubernetes: Kubernetes service accounts associated with the Vault role must be created or updated, specifying the Vault role as an annotation.
Deploy and Use Tokens: Applications running in the Kubernetes cluster can now authenticate with Vault using their associated service account tokens to retrieve secrets or other credentials that Vault manages.

Below is a Pulumi program written in Python that sets up dynamic service account tokens for Kubernetes using Vault:

import pulumi
import pulumi_vault as vault
import pulumi_kubernetes as kubernetes

# Configure the Vault provider
vault_provider = vault.Provider("vault-provider")

# Configure Vault's Kubernetes auth method
auth_backend_config = vault.KubernetesAuthBackendConfig("k8s-auth-config",
    kubernetes_ca_cert="<KUBERNETES_CA_CERT>",               # Replace with your Kubernetes cluster CA cert
    kubernetes_host="<KUBERNETES_HOST>",                     # Replace with your Kubernetes API server URL
    token_reviewer_jwt="<TOKEN_REVIEWER_JWT>",               # Replace with your token reviewer JWT
    pem_keys=["<PEM_KEY>"],                                  # Replace with your list of PEM keys if needed
    opt_provider=vault_provider
)

# Define a Vault role that binds to Kubernetes service accounts and namespaces
auth_backend_role = vault.KubernetesAuthBackendRole("k8s-auth-role",
    bound_service_account_names=["example-app-sa"],         # The name of the K8s Service Account to bind
    bound_service_account_namespaces=["default"],           # The namespace of the Service Account
    backend="<KUBERNETES_AUTH_BACKEND_PATH>",               # The mount path of the Kubernetes auth backend in Vault
    token_policies=["example-app-policy"],                  # List of policies assigned to tokens
    token_ttl=3600,                                         # Token Time-To-Live (TTL) in seconds
    opt_provider=vault_provider
)

# Ensure a Kubernetes Service Account exists for an application
service_account = kubernetes.core.v1.ServiceAccount("example-app-sa",
    metadata=kubernetes.meta.v1.ObjectMetaArgs(
        name="example-app-sa",
        namespace="default",
        annotations={
            "vault.hashicorp.com/role": "k8s-auth-role"      # Annotation to associate with the Vault role
        }
    )
)

# Export the Kubernetes Service Account name
pulumi.export("service_account_name", service_account.metadata["name"])

# Export the Vault Role name
pulumi.export("vault_role_name", auth_backend_role.role_name)

In the program above, replace <KUBERNETES_CA_CERT>, <KUBERNETES_HOST>, <TOKEN_REVIEWER_JWT>, <PEM_KEY>, and <KUBERNETES_AUTH_BACKEND_PATH> with the appropriate values from your Kubernetes and Vault setup.

The pulumi_vault.KubernetesAuthBackendConfig resource configures the Kubernetes auth method in Vault by specifying the necessary parameters to communicate with the Kubernetes API, like the CA certificate, Host URI and reviewer JWT.

Next, pulumi_vault.KubernetesAuthBackendRole defines a role in Vault that binds to Kubernetes service accounts in the default namespace. This role determines what level of access the created service account tokens will have within Vault.

The pulumi_kubernetes.core.v1.ServiceAccount resource ensures that there is a Kubernetes service account that can issue tokens for the applications to authenticate with Vault.

Finally, we export the service account name and Vault role name, which can be used for reference or automation in a CI/CD pipeline.

By executing this Pulumi program, you will have securely set up dynamic service account tokens that can be used by applications within your Kubernetes environment to interact with Vault.