CODEWITHSUNDEEP
amazon-web-serviceskuberneteshashicorp-vault
Murakami
Murakami

Reputation: 3760

Cannot connect HCP Vault with AWS EKS

I'm trying to connect HCP Vault with AWS EKS, without success though.

Steps I'm doing:

  1. I've configured HVN and peered it with VPC where my k8s cluster is located.

  2. Created HCP Vault cluster in that HVN.

  3. Created injector pod via Helm

  4. Because Vault Cluster is private only I'm using bastion host to connect to it using this instruction: https://support.hashicorp.com/hc/en-us/articles/4404774536083-Accessing-private-URLs-of-HCP-Clusters

  5. From a bastion host: vault auth enable kubernetes

  6. I've created service account admin-panel in the namespace admin panel

  7. I'm exporting some values from my namespace...

  8. export TOKEN_REVIEW_JWT=$(kubectl get secret $(kubectl get serviceaccount admin-panel -o jsonpath='{.secrets[0].name}') -o jsonpath='{ .data.token }' | base64 --decode)

  9. export KUBE_CA_CERT=$(kubectl get secret $(kubectl get serviceaccount admin-panel -o jsonpath='{.secrets[0].name}') -o jsonpath='{ .data.ca\.crt }' | base64 --decode)

  10. export KUBE_HOST=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')

  11. ...in order to configure auth method: vault write auth/kubernetes/config token_reviewer_jwt="$TOKEN_REVIEW_JWT" kubernetes_host="$KUBE_HOST" kubernetes_ca_cert="$KUBE_CA_CERT"

  12. I finally enabled auth engine and created a secret: vault secrets enable -path=secret kv-v2 and vault kv put secret/admin-panel/config username=‘user’ password=‘password’

  13. We need some policy:

`vault policy write admin-panel - <<EOF
    
 path "secret/data/admin-panel/config" {
    
   capabilities = ["read"]
    
 }
 EOF`

  1. And authetication role: vault write auth/kubernetes/role/admin-panel bound_service_account_names=admin-panel bound_service_account_namespaces=admin-panel policies=admin-panel ttl=24h

  2. Finally I want to use it in the pod:

    apiVersion: v1
kind: Pod
metadata:
  name: test
  labels:
    app: test
annotations:
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/role: "admin-panel"
  vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/admin-panel/config"
spec:
  serviceAccountName: admin-panel
  containers:
    - name: test
      image: nginx

I'm getting typically error:

    2022-08-30T21:57:18.366Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.
  | 
  | URL: PUT https://vault-cluster-private-vault-dflosi.hfols.z1.hashicorp.cloud:8200/v1/auth/kubernetes/login
  | Code: 403. Errors:
  | 
  | * permission denied
   backoff=3m48.31s
2022-08-30T22:01:06.685Z [INFO]  auth.handler: authenticating
2022-08-30T22:01:06.703Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.

I'm following the official tutorial, what am I missing?

Upvotes: 0

Views: 254

Answers (1)

rock&#39;n rolla
rock&#39;n rolla

Reputation: 2254

Something I notice here that might be the issue is that you bound service account only in namespace admin-panel while vault role creation but you're creating the pod in the default namespace, where the service account is not configured to authenticate with EKS.

Either try creating the pod in the admin-panel namespace or change bound_service_account_namespaces to * while configuring vault role.

Upvotes: 0

Related Questions