TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

isolated-issuer Vault Permissions

Vault is supported for both bootstrapping a signing CA, and for signing leaf certificates. To do this, isolated-issuer requires access to a few Vault endpoints, which can be granted through the use of a policy.

An example policy is provided below vault_policy.hcl, using isolated_root as the bootstrap path and isolated_signer as the signing path. To use the policy, you might need to change those path names to match the path(s) you're using.

Creating a Policy and Issuing a Token

Working with the principle of least privilege, we first want to create a minimal Vault policy to allow access to the endpoints required by isolated-issuer.

cat <<EOF > vault_policy.hcl
path "isolated_root/root/sign-intermediate" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}


path "isolated_signer/config/ca" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}


path "isolated_signer/cert/ca" {
  capabilities = [ "read", "list" ]
}


path "isolated_signer/sign-verbatim" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF
Copy to clipboard
$ vault policy write isolated_policy vault_policy.hcl
Success! Uploaded policy: isolated_policy
Copy to clipboard

With the policy in place, we need to issue a token which will be added to the isolated-issuer configuration file:

$ vault token create -format=json -policy="isolated_policy" | jq -r ".auth.client_token"
s.PYFjD2tI0mE7gAlFKH6UAVPC # this is an example key, your output will differ
Copy to clipboard

On this page