This gist is the Terraform configuration for the previous tutorial on HashiCorp Vault AWS Auth with Amazon EKS and IAM Roles for Service Accounts.
This Terraform configuration replaces all the AWS and Vault CLI commands in the previous tutorial.
Before running the next steps make sure you have started Vault and ngrok locally. Take a look at the previous tutorial for more details.
When you copy this gist make sure the *_eks_*.tf
files are in a folder called /eks
, like so:
├── eks
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
├── main.tf
├── outputs.tf
└── variables.tf
Apply the Terraform configuration
terraform init
terrafom apply
Test the Pod identity
VAULT_AUTH_ROLE_ARN=$(terraform output -raw iam_assumable_role_with_web_identity)
VAULT_AUTH_K8S_SERVICE_ACCOUNT=vault-auth
kubectl create sa $VAULT_AUTH_K8S_SERVICE_ACCOUNT
kubectl annotate sa $VAULT_AUTH_K8S_SERVICE_ACCOUNT eks.amazonaws.com/role-arn=$VAULT_AUTH_ROLE_ARN
kubectl run vault -it --rm --restart=Never \
--serviceaccount $VAULT_AUTH_K8S_SERVICE_ACCOUNT \
--image vault -- \
vault login -address=http://2a7f0319443a.ngrok.io \
-method=aws \
role="dev-role-iam2"
terraform destroy