I have a Vault deployment in my cluster that I use to store secrets. Additionally, I have created roles, policies, and a ServiceAccount. My applications will retrieve secrets from Vault using this service account. However, I am concerned that another application could use the service account meant for a different application. What measures can I take to prevent this from happening?
Say, I have assigned different policies to application A and application B, so I need a way to ensure that application B cannot use the ServiceAccount meant for application A.
Using the kubernetes auth method, this is how it works. You don't need to do anything else. Assuming you are using the default behavior of kubernetes where it creates a service account per app, you're good.
When an app logins to Vault using a ServiceAccount, it provides its token and authenticates for a specific role, e.g
curl \
--request POST \
--data '{"jwt": "<your service account jwt>", "role": "demo"}' \
http://127.0.0.1:8200/v1/auth/kubernetes/login
The SA token is available only to your service. Kubernetes creates a SA for each app. It means AppA doesn't have the access for AppB ServiceAccount token (unless you explicitly specify that).
The way to integrate that with Vault is to config a named role with a bounded service account and namespace
vault write auth/kubernetes/role/demo \
bound_service_account_names=myapp \
bound_service_account_namespaces=default \
policies=default \
ttl=1h
The above role can be used to authenticate only for myapp from the default namespace. No other app can login using this role.
To address your question, you would need a different Vault role for each app, with different bounded service account and namespace.
Check out Vault documentation on kubernetes auth method for full example