You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeVault? Please start here.
A SecretAccessRequest
is a Kubernetes CustomResourceDefinition
(CRD) which allows a user to request a Vault server for credentials in a Kubernetes native way. If SecretAccessRequest
is approved, then the KubeVault operator will issue credentials and create Kubernetes secret containing credentials. The secret name will be specified in status.secret.name
field.
KubeVault operator performs the following operations when a DatabaseAccessRequest CRD is created:
status.conditions[].type
is Approved
or notstatus.secret.name
Like any official Kubernetes resource, a SecretAccessRequest
object has TypeMeta
, ObjectMeta
, Spec
and Status
sections.
A sample SecretAccessRequest
object is shown below:
apiVersion: engine.kubevault.com/v1alpha1
kind: SecretAccessRequest
metadata:
name: aws-cred-req
namespace: dev
spec:
roleRef:
kind: AWSRole
name: aws-role
subjects:
- kind: ServiceAccount
name: test-user-account
namespace: test
Here, we are going to describe the various sections of the SecretAccessRequest
crd.
SecretAccessRequest spec
contains information about database role and subject.
spec:
roleRef:
apiGroup: <role-apiGroup>
kind: <role-kind>
name: <role-name>
namespace: <role-namespace>
subjects:
- kind: <subject-kind>
apiGroup: <subject-apiGroup>
name: <subject-name>
namespace: <subject-namespace>
ttl: <ttl-for-leases>