Configuring Vault for EKS

2 minute read

When booting an EKS cluster with Vault enabled, fields under Vault.aws in the jx-requirements-eks.yml file are required to enable its support.

Vault does not currently support Identity Access Management (IAM) Roles for Service Accounts, so you will be prompted to provide a preconfigured IAM User.

The jx-requirements-eks.yml file contains the following settings for EKS Vault configuration:

vault:
  aws:
    autoCreate: true
    iamUserName: <username>

For Vault support on EKS clusters, you must provide an existing IAM username in the iamUserName setting to use its Access Keys to authenticate the Vault pod against AWS.

The IAM user does not need any permissions attached to it. During the installation process, CloudBees Jenkins X Distribution creates a new IAM Policy and attaches it to this user. These will essentially be the permissions that the Vault pod will use.

A new set of Access Keys are created during Vault creation. There is a limit of 2 key pairs per IAM user, so ensure that there is at least one key slot free on the IAM user that you are providing. Otherwise, Vault configuration will fail. If you do not want CloudBees Jenkins X Distribution to create these keys, you can provide a key pair that you already created through environment variables: VAULT_AWS_ACCESS_KEY_ID and VAULT_AWS_SECRET_ACCESS_KEY.

In the install-vault step, the jx boot process runs a CloudFormation stack in order to create every resource needed by Vault to work.

You can find the CloudFormation stack template here.

Providing existing resources

If you want to provide existing resources and settings instead of letting CloudBees Jenkins X Distribution create them, you need to set Vault.aws.autoCreate to false.

You must provide the names of the existing resources in the jx-requirements-eks.yml file:

vault:
  aws:
    autoCreate: false
    iamUserName: acmeuser
    dynamoDBTable: ""
    dynamoDBRegion: ""
    kmsKeyId: ""
    kmsRegion: ""
    s3Bucket: ""
    s3Region: ""
    s3Prefix: ""

Note: A pair of Access Keys will be created even if you set autoCreate to false. To prevent this, you can set an existing pair through environment variables: VAULT_AWS_ACCESS_KEY_ID and VAULT_AWS_SECRET_ACCESS_KEY.