You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeVault? Please start here.


What is SecretAccessRequest

A SecretAccessRequest is a Kubernetes CustomResourceDefinition (CRD) which allows a user to request a Vault server for credentials in a Kubernetes native way. If SecretAccessRequest is approved, then the KubeVault operator will issue credentials and create Kubernetes secret containing credentials. The secret name will be specified in field.

SecretAccessRequest CRD

KubeVault operator performs the following operations when a DatabaseAccessRequest CRD is created:

  • Checks whether status.conditions[].type is Approved or not
  • If Approved, requests the Vault server for credentials
  • Creates a Kubernetes Secret which contains the credentials
  • Sets the name of the k8s secret to SecretAccessRequest’s
  • Assigns read permissions on that Kubernetes secret to specified subjects or user identities

SecretAccessRequest CRD Specification

Like any official Kubernetes resource, a SecretAccessRequest object has TypeMeta, ObjectMeta, Spec and Status sections.

A sample SecretAccessRequest object is shown below:

kind: SecretAccessRequest
  name: aws-cred-req
  namespace: dev
    kind: AWSRole
    name: aws-role
    - kind: ServiceAccount
      name: test-user-account
      namespace: test

Here, we are going to describe the various sections of the SecretAccessRequest crd.

SecretAccessRequest Spec

SecretAccessRequest spec contains information about database role and subject.

    apiGroup: <role-apiGroup>
    kind: <role-kind>
    name: <role-name>
    namespace: <role-namespace>
    - kind: <subject-kind>
      apiGroup: <subject-apiGroup>
      name: <subject-name>
      namespace: <subject-namespace>
  ttl: <ttl-for-leases>