Authentication Methods¶
The Vault Access Operator supports multiple authentication methods to connect to HashiCorp Vault. Choose the method that best fits your environment and security requirements.
Quick Reference¶
| Method | Best For | Cloud Provider | Complexity |
|---|---|---|---|
| Kubernetes | Standard K8s clusters | Any | Low |
| AWS IAM | EKS with IRSA | AWS | Medium |
| GCP IAM | GKE with Workload Identity | GCP | Medium |
| OIDC | EKS/GKE/Azure workload identity | Any | Medium |
| JWT | External identity providers | Any | Medium |
| AppRole | CI/CD pipelines | Any | Low |
| Token | Development/testing only | Any | Very Low |
| Bootstrap | Initial Vault setup | Any | Medium |
Decision Guide¶
flowchart TD
Q["What environment<br/>are you running in?"]
Q --> EKS["EKS"]
Q --> GKE["GKE"]
Q --> Other["Other"]
EKS --> IRSA{"IRSA enabled?"}
GKE --> WI{"Workload Identity?"}
Other --> K8s3["Kubernetes Auth"]
IRSA -- Yes --> AWS["AWS IAM"]
IRSA -- No --> K8s1["Kubernetes Auth"]
WI -- Yes --> GCP["GCP IAM"]
WI -- No --> K8s2["Kubernetes Auth"]Method Comparison¶
Security Level¶
| Method | Token Lifetime | Credential Type | Auto-Rotation |
|---|---|---|---|
| Kubernetes | Short (1h default) | Service Account Token | Yes |
| AWS IAM | Short | IAM Credentials | Yes (IRSA) |
| GCP IAM | Short | Workload Identity Token | Yes |
| OIDC | Short | JWT from IdP | Yes |
| JWT | Configurable | External JWT | Depends |
| AppRole | Configurable | SecretID | Manual |
| Token | Long-lived | Static Token | No |
| Bootstrap | One-time | Bootstrap Token | N/A |
Prerequisites¶
| Method | Vault Config Required | K8s Config Required | Cloud Config Required |
|---|---|---|---|
| Kubernetes | Kubernetes auth enabled | ServiceAccount | None |
| AWS IAM | AWS auth enabled | IRSA annotation | IAM Role + Trust Policy |
| GCP IAM | GCP auth enabled | Workload Identity annotation | GCP SA + IAM Binding |
| OIDC | OIDC auth enabled | ServiceAccount | OIDC Provider |
| JWT | JWT auth enabled | ServiceAccount or Secret | IdP configuration |
| AppRole | AppRole auth enabled | Secret with credentials | None |
| Token | None | Secret with token | None |
| Bootstrap | Permissive token | Secret with token | None |
Which Method Should I Use?¶
Production Workloads¶
- EKS clusters: Use AWS IAM with IRSA for the strongest security
- GKE clusters: Use GCP IAM with Workload Identity
- Standard Kubernetes: Use Kubernetes auth - it's secure and well-tested
- Multi-cloud or hybrid: Use OIDC for consistent identity federation
CI/CD Pipelines¶
Use AppRole auth for:
- GitHub Actions
- GitLab CI
- Jenkins
- ArgoCD
Development and Testing¶
Use Token auth only for:
- Local development
- Quick testing
- Demos
Never use Token auth in production
Token auth uses long-lived static credentials and should never be used in production environments.
Initial Setup¶
Use Bootstrap auth to:
- Configure Vault's Kubernetes auth method
- Set up initial policies
- Transition to Kubernetes auth afterward
Common Configuration¶
All authentication methods share these common fields:
apiVersion: vault.platform.io/v1alpha1
kind: VaultConnection
metadata:
name: my-vault
spec:
address: https://vault.example.com:8200
tls:
caSecretRef:
name: vault-ca-cert
key: ca.crt
auth:
# Choose ONE of the following auth methods
kubernetes: { ... }
aws: { ... }
gcp: { ... }
oidc: { ... }
jwt: { ... }
appRole: { ... }
token: { ... }
bootstrap: { ... }
Next Steps¶
Choose your authentication method and follow the detailed setup guide:
- Kubernetes Authentication - Standard K8s clusters
- AWS IAM Authentication - EKS with IRSA
- GCP IAM Authentication - GKE with Workload Identity
- OIDC Authentication - Workload identity federation
- JWT Authentication - External identity providers
- AppRole Authentication - CI/CD pipelines
- Token Authentication - Development only
- Bootstrap Authentication - Initial setup