Part 2: Initializing Vault, Enabling IAM Authentication, and Securing Access This is part 2 of the Vault configuration where I will cover how we can enable IAM authentication for simplicity and because for example if we heavily using AWS services. I will cover: - How to create & configure AWS roles across organization for Vault - Create example role and provide test policy for it - Configure external-secrets to fetch the secret from the Vault As in the part 1 we succesfully deployed our EKS cluster and initialized our Vault cluster, not it's time to confiugre access to the Vault server. Let's imagine that you're using AWS provider as a main cloud provider and do not reinvent the wheel we need to stick with IAM roles we don't want to manage Vault tokens and we will use AWS roles instead for authentication and autherization it's 100% achiveable but before starting we need to create AWS roles
How to Deploy HashiCorp Vault on AWS EKS with IAM Authentication and KMS Auto-Unseal – Part 1: Infrastructure Setup In this guide, we’ll deploy a production-grade Vault setup on AWS EKS. The Vault server will: - Use Raft as a storage backend for high availability and simplicity - Automatically unseal via AWS KMS - Use IAM-based authentication for secure and flexible access control We will provision the infrastructure using Terragrunt and Tofu (a Terraform fork), but you can adapt this to your preferred tooling.
include "root" {
path = find_in_parent_folders()
}
include "aws" {
path = find_in_parent_folders("aws.hcl")
}
dependency "vpc" {
config_path = "${dirname(find_in_parent_folders("aws.tfvars"))}/vpc"
}
dependency "kms" {
config_path = "${dirname(find_in_parent_folders("aws.tfvars"))}/kms/infra"
}
locals {
version = read_terragrunt_config(find_in_parent_folders("versions.hcl"))
Tue May 27 09:25:05 2025
Powered by Golang net/http package