Hashicorp vault: Multiple Applications and Multiple service accounts - prevent another app from using different svc account

Question

I have a Vault deployment in my cluster that I use to store secrets. Additionally, I have created roles, policies, and a ServiceAccount. My applications will retrieve secrets from Vault using this service account. However, I am concerned that another application could use the service account meant for a different application. What measures can I take to prevent this from happening?

Say, I have assigned different policies to application A and application B, so I need a way to ensure that application B cannot use the ServiceAccount meant for application A.

Answer 1

Using the kubernetes auth method, this is how it works. You don't need to do anything else. Assuming you are using the default behavior of kubernetes where it creates a service account per app, you're good.

When an app logins to Vault using a ServiceAccount, it provides its token and authenticates for a specific role, e.g

curl \
    --request POST \
    --data '{"jwt": "<your service account jwt>", "role": "demo"}' \
    http://127.0.0.1:8200/v1/auth/kubernetes/login

The SA token is available only to your service. Kubernetes creates a SA for each app. It means AppA doesn't have the access for AppB ServiceAccount token (unless you explicitly specify that).

The way to integrate that with Vault is to config a named role with a bounded service account and namespace

vault write auth/kubernetes/role/demo \
    bound_service_account_names=myapp \
    bound_service_account_namespaces=default \
    policies=default \
    ttl=1h

The above role can be used to authenticate only for myapp from the default namespace. No other app can login using this role.

To address your question, you would need a different Vault role for each app, with different bounded service account and namespace.

Check out Vault documentation on kubernetes auth method for full example