Marketplace

HashiCorp Vault with Yandex KMS support

Updated December 5, 2024

HashiCorp Vault is an open source tool for securely storing and accessing secrets (for example, passwords, certificates, and tokens). The image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal via Yandex Key Management Service. The build is based on HashiCorp Vault 1.18.1.

Deployment instructions
  1. Create a service account, which is required for HashiCorp Vault:

    yc iam service-account create --name vault-kms
    
  2. Create an authorized key for the service account and save it to the file authorized-key.json:

    yc iam key create \
       --service-account-name vault-kms \
       --output authorized-key.json
    
  3. Create a Yandex Key Management Service key:

    yc kms symmetric-key create \
       --name example-key \
       --default-algorithm aes-256 \
       --rotation-period 24h
    

    Save the key ID (id). You will need it when installing the application.

  4. Assign the service account the kms.keys.encrypterDecrypter role for the Yandex Key Management Service key:

    yc kms symmetric-key add-access-binding \
       --name example-key \
       --service-account-name vault-kms \
       --role kms.keys.encrypterDecrypter
    
  5. Configure the application:

    • Namespace: Select a namespace or create a new one.
    • Application name: Enter an application name.
    • Service account key: Copy the contents of the authorized-key.json file to this field.
    • KMS key ID: Specify the ID of the Yandex Key Management Service key that you got earlier.
  6. Click Install.

  7. Make sure that the application switched to Running and has 0/1 ready pods:

    kubectl get pods --selector='app.kubernetes.io/name=vault'
    

    Expected output:

    NAME                READY   STATUS    RESTARTS   AGE
    <vault pod name>    0/1     Running   0          58s
    
  8. Initialize the vault:

    kubectl exec --stdin=true --tty=true <vault pod name> -- vault operator init
    

    Expected output:

    Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQiI2S0VV9o
    Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtisSIcS3n0e
    Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbDq/UueHPPg
    Recovery Key 4: af4PRlm3VdXRzEHoDpYEnSgbwj4oc4zLCwkJG36cOUER
    Recovery Key 5: rw9LXcyGEhoO4y4O5IA32IwiDS2t76zd52eiVqfpu+b6
    
    Initial Root Token: s.4ddyD9kkIKVrslVBQBX1I5Pq
    
    Success! Vault is initialized
    
    Recovery key initialized with 5 key shares and a key threshold of 3. Please
    securely distribute the key shares printed above.
    

    Don’t run the unseal operation when initializing the vault. For more information, see Auto Unseal and the HashiCorp Vault documentation.

  9. Query the list of application pods again and make sure that one pod is ready:

    kubectl get pods --selector='app.kubernetes.io/name=vault'
    

    Expected output:

    NAME                READY   STATUS    RESTARTS   AGE
    vault-yckms-k8s-0   1/1     Running   0          1h
    
Billing type
Free
Type
Kubernetes® Application
Category
Developer tools
Security
Publisher
Yandex Cloud
Vendor
HashiCorp
Use cases
  • Secure secrets storage.
  • Managing access to secrets.
Technical support

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support. You can also get help from the community.

Product composition
Helm chartVersion
Pull-command
Documentation
yandex-cloud/vault/chart/vault0.29.0_yckmsOpen
Docker imageVersion
Pull-command
yandex-cloud/vault/vault-k8s17322744305151785106150200088702521572049075788971.5.0
yandex-cloud/vault/vault17322744305151785106150200088702521572049075788971.18.1_yckms
yandex-cloud/vault/vault17322744305151785106150200088702521572049075788971.18.1_yckms
yandex-cloud/vault/vault-csi-provider17322744305151785106150200088702521572049075788971.5.0
Other variants of this product
Terms
By using this product you agree to the Yandex Cloud Marketplace Terms of Service and the terms and conditions of the following software: HashiCorp Vault with Yandex Key Management ServiceHashiCorp Vault
Billing type
Free
Type
Kubernetes® Application
Category
Developer tools
Security
Publisher
Yandex Cloud
Vendor
HashiCorp