search

Apono Vault

Deploy an Apono native vault in your Kubernetes environment to store privileged accounts and manage access through Apono

Many organizations enforce strict policies that prohibit storing highly privileged credentials in third-party SaaS platforms. Security teams still need a way to securely store credentials such as cloud root accounts, database sysadmins, and emergency breakglass credentials while ensuring access is tightly controlled.

Apono Vault solves this problem by allowing you to deploy a lightweight vault inside your own Kubernetes environment. This vault stores secrets locally while Apono manages just-in-time (JIT) access, approvals, and auditing.

Through this integration, your organization can:

  • Store sensitive credentials entirely inside your own infrastructure

  • Eliminate hard-coded secrets and credentials sprawl

  • Grant engineers temporary, policy-controlled access to secrets

  • Maintain Zero Standing Privileges (ZSP) through time-bound access

  • Audit who accessed privileged credentials and when

circle-info

Apono Vault is built on OpenBaoarrow-up-right and deployed directly in your Kubernetes cluster.

hashtag
Prerequisites

Item
Description

Apono Connector

On-prem connection serving as a bridge between Kubernetes and Apono Learn how to install or update a connector for Kubernetes. NOTE: The connector must have permissions to access the Kubernetes namespace where the vault is deployed and read the vault credentials secret.

Apono CLI

Command-line tool enabling you to view, request, and receive permission to resources that are centrally managed by Apono Version 1.3.5 or later is required for vault operations. Learn how to install and manage the Apono CLI.

Kubernetes Cluster

Kubernetes 1.30 or later with a configured PersistentVolume provisioner Learn how to create a clusterarrow-up-right.

Helm

Helm 3.12 or later installed in your environment Learn how to install Helmarrow-up-right.

kubectl

kubectl configured to access your Kubernetes cluster

Learn how to organize cluster accessarrow-up-right with the kubectl command-line tool.

hashtag
Deploy Apono Vault

Deploy Apono Vault in your Kubernetes cluster using one of the following methods.

circle-info

We recommend this deployment option.

Follow this step to deploy Apono Vault in your cluster:

  1. Run the installation script to automatically add the Helm repository, deploy the vault, and output the configuration details required for the Apono integration.

circle-check

Optional parameters

You can append parameters to the install script to add specific conditions to the vault deployment.

Deploy to a custom namespace:

Deploy to a specific Kubernetes context:

Deploy with custom Helm parameters:

Use a custom values file:

chevron-rightConfigurable parametershashtag

You can customize your deployment by passing the following Helm values with the --set flag.

Parameter
Description
Default

vault.server.image.tag

Vault image version

2.5.1

vault.server.resources.requests.memory

Memory request

128Mi

vault.server.resources.requests.cpu

CPU request

100m

vault.server.resources.limits.memory

Memory limit

256Mi

vault.server.resources.limits.cpu

CPU limit

250m

vault.server.dataStorage.size

PVC size for Raft data

1Gi

vault.server.dataStorage.storageClass

Storage class (uses cluster default if unset)

null

vault.server.service.type

Kubernetes service type

ClusterIP

vault.server.service.port

Service port

8200

Example:

hashtag
Record installation output

After installation is complete, the output displays the connector configuration values you need to integrate Apono Vault. Record the values below.

Setting
Description
Example

Internal URL

Cluster-internal URL for the vault

http://apono-vault.apono-vault.svc.cluster.local:8200

External URL

Optional externally accessible vault endpoint

Namespace

Kubernetes namespace where the vault was deployed

apono-vault

Secret Name

Kubernetes secret containing the AppRole credentials

apono-vault-role

hashtag
Integrate Apono Vault

circle-check

You can also use the steps below to integrate with Apono using Terraform.

In step 11, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

  1. On the Catalogarrow-up-right tab, click Apono Vault. The Connect Integration page appears.

  2. Under Discovery, select one or both of the Apono Vault resource types (Secret and Management).

circle-exclamation

Users granted access to a resource type will be able to perform different actions depending on their permission level. Granted permissions apply only to the secrets requested by the user.

  1. Click Next. The Apono connector section expands.

  2. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

circle-check

If the desired connector is not listed, click + Add new connector and follow the instructions to install the connector.

  1. Click Next. The Integration Config section expands.

  2. Define the Integration Config settings.

    Setting
    Description

    Integration Name

    Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

    Vault Internal URL

    Cluster-internal vault endpoint Copy this value from the installation output.

    Vault External URL

    Optional external endpoint if the vault service is exposed outside the cluster Copy this value from the installation output.

  3. Click Next. The Secret Store section expands.

  4. Enter your Kubernetes secret in the Secret Store.

Field
Description

Namespace

Kubernetes namespace where the vault is deployed

Copy this value from the installation output.

Name

Kubernetes secret containing the AppRole credentials Copy this value from the installation output.

  1. Click Next. The Get more with Apono section expands.

  2. Define the Get more with Apono settings.

    Setting
    Description

    Custom Access Details

    (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

    Integration Owner

    (Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:

    1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.

    2. From the Value dropdown menu, select one or multiple users or groups.

    NOTE: When Resource Owner is defined, an Integration Owner must be defined.

    Resource Owner

    (Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:

    1. Enter a Key name. This value is the name of the tag created in your cloud environment.

    2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

    NOTE: When this setting is defined, an Integration Owner must also be defined.

  3. Click Confirm.

chevron-right💡Are you integrating with Apono using Terraform?hashtag

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

  1. At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

  2. Click to copy the code.

  3. Make any additional edits.

  4. Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your Apono Vault secrets. Users who are granted access can manage secrets using the Apono CLI.

hashtag
Manage secrets in Apono Vault

Users can perform different actions in Apono Vault depending on the resource types and permissions they have been granted through an access flow.

Users granted access to the Management resource type can manage secrets within the vault. However, their available actions depend on their granted permissions.

Permission
List
Create
Fetch
Update
Delete

Admin

ReadWrite

ReadOnly

List secrets:

Create a secret:

Fetch a secret:

Update a secret:

Delete a secret:

hashtag
Troubleshooting Apono Vault

Expand the sections below to troubleshoot common issues. Contact Apono Support if you require additional help.

chevron-rightInitialization job failedhashtag

Run the following command to check the initialization job logs.

chevron-rightVault does not auto-unseal after restarthashtag

Run the following command to verify the unseal secret contains real values.

If the value is placeholder, the initialization job has failed. Re-run the initialization.

chevron-rightPod stuck in CrashLoopBackOffhashtag

Run the following command to check the vault pod logs.

chevron-rightRaft lock file errorhashtag

If a vault pod is force-deleted, a stale Raft lock file may remain.

Run the following command to reinstall the vault.

Then, reinstall the vault using one of the deployment methods above.

triangle-exclamation

Deleting the PVC permanently removes all vault data.

hashtag
Uninstall Apono Vault

triangle-exclamation

Deleting the PVC permanently removes all vault data.

Follow these steps to uninstall Apono Vault:

  1. Run the following command to uninstall the vault deployment.

  1. (Optional) Run the following command to fully clean the environment.

PreviousConnector IP AllowlistNextAWS Overview

Last updated

Was this helpful?