external-secrets/docs/snippets/vault-iam-store.yaml

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend-aws-iam
spec:
  provider:
    vault:
      server: "http://my.vault.server:8200"
      path: secret
      version: v2
      namespace: <vault_namespace>
      auth:
        iam:
          # Path where the AWS auth method is enabled in Vault, e.g: "aws/". Defaults to aws
          path: aws
          # AWS Region. Defaults to us-east-1
          region: us-east-1
          # Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
          vaultRole: vault-role-for-aws-iam-auth
          # Optional. Placeholder to supply header X-Vault-AWS-IAM-Server-ID. It is an additional (optional) header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
          vaultAwsIamServerID: example-vaultAwsIamServerID
          jwt:
            serviceAccountRef:
              name: my-serviceaccount #Provide service account with IRSA enabled
:sparkles: Enabling Vault IAM auth (#2208) * Enabling Vault IAM auth Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Adding spec Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Adding test cases and decoupling vault provider from aws for iam auth Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Fixing comments Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Fixing linter issues Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Fixing the check-diff errors Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> * Adding support for assumeRole operations when using static creds Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local> * Bumping the dependencies to fix the go.mod/go.sum conflicts Signed-off-by: Gaurav Dasson <gdasson@Gauravs-Mac-mini.local> * Bumping up e2e go mod files Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> --------- Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com> 2023-05-11 09:10:07 +00:00			`apiVersion: external-secrets.io/v1beta1`
			`kind: SecretStore`
			`metadata:`
			`name: vault-backend-aws-iam`
			`spec:`
			`provider:`
			`vault:`
			`server: "http://my.vault.server:8200"`
			`path: secret`
			`version: v2`
			`namespace: <vault_namespace>`
			`auth:`
			`iam:`
			`# Path where the AWS auth method is enabled in Vault, e.g: "aws/". Defaults to aws`
			`path: aws`
			`# AWS Region. Defaults to us-east-1`
			`region: us-east-1`
			`# Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine`
			`vaultRole: vault-role-for-aws-iam-auth`
			`# Optional. Placeholder to supply header X-Vault-AWS-IAM-Server-ID. It is an additional (optional) header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws`
			`vaultAwsIamServerID: example-vaultAwsIamServerID`
			`jwt:`
			`serviceAccountRef:`
			`name: my-serviceaccount #Provide service account with IRSA enabled`