# Apono Vault Many organizations enforce strict policies that prohibit storing highly privileged credentials in third-party SaaS platforms. Security teams still need a way to securely store credentials such as cloud root accounts, database sysadmins, and emergency breakglass credentials while ensuring access is tightly controlled. Apono Vault solves this problem by allowing you to deploy a lightweight vault inside your own Kubernetes environment. This vault stores secrets locally while Apono manages just-in-time (JIT) access, approvals, and auditing. Through this integration, your organization can: * Store sensitive credentials entirely inside your own infrastructure * Eliminate hard-coded secrets and credentials sprawl * Grant engineers temporary, policy-controlled access to secrets * Maintain Zero Standing Privileges (ZSP) through time-bound access * Audit who accessed privileged credentials and when {% hint style="info" %} Apono Vault is built on [OpenBao](https://openbao.org/) and deployed directly in your Kubernetes cluster. {% endhint %} *** ### Prerequisites
ItemDescription
Apono ConnectorOn-prem connection serving as a bridge between Kubernetes and Apono

Learn how to install or update a connector for Kubernetes.

NOTE: The connector must have permissions to access the Kubernetes namespace where the vault is deployed and read the vault credentials secret.
Apono CLICommand-line tool enabling you to view, request, and receive permission to resources that are centrally managed by Apono

Version 1.3.5 or later is required for vault operations.

Learn how to install and manage the Apono CLI.
Kubernetes ClusterKubernetes 1.30 or later with a configured PersistentVolume provisioner

Learn how to create a cluster.
HelmHelm 3.12 or later installed in your environment

Learn how to install Helm.
kubectl

kubectl configured to access your Kubernetes cluster


Learn how to organize cluster access with the kubectl command-line tool.

*** ### Deploy Apono Vault Deploy Apono Vault in your Kubernetes cluster using one of the following methods. {% tabs %} {% tab title="Install script" %} {% hint style="info" %} **We recommend this deployment option**. {% endhint %} Follow this step to deploy Apono Vault in your cluster: 1. Run the installation script to automatically add the Helm repository, deploy the vault, and output the configuration details required for the Apono integration. ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash ``` {% hint style="success" %} **Optional parameters** You can append parameters to the install script to add specific conditions to the vault deployment. **Deploy to a custom namespace**: ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash -s -- -n my-namespace ``` \ **Deploy to a specific Kubernetes context**: ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash -s -- --kube-context my-cluster ``` \ **Deploy with custom Helm parameters**: ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash -s -- \ --kube-context my-cluster -n my-namespace \ --set vault.server.dataStorage.size=5Gi ``` \ **Use a custom values file**: ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash -s -- -f custom-values.yaml ``` {% endhint %} {% endtab %} {% tab title="Manual Helm deployment" %} Follow this step to deploy Apono Vault in your cluster: 1. Deploy the vault using Helm. ``` helm repo add apono https://apono-io.github.io/apono-helm-charts helm repo update kubectl create namespace apono-vault helm install apono-vault apono/apono-vault -n apono-vault --wait ``` {% hint style="info" %} The `--wait` flag blocks the vault until all resources, including the initialization job, are ready. To monitor initialization in real time, omit `--wait` and tail the logs: ``` kubectl logs -f job/apono-vault-init -n apono-vault ``` {% endhint %} {% hint style="success" %} **Optional parameters** You can add parameters in Helm to add specific conditions to the vault deployment. **Deploy to a custom namespace**: ``` kubectl create namespace my-namespace helm install apono-vault apono/apono-vault -n my-namespace --wait ``` {% endhint %} {% endtab %} {% endtabs %}
Configurable parameters You can customize your deployment by passing the following Helm values with the `--set` flag.
ParameterDescriptionDefault
vault.server.image.tagVault image version2.5.1
vault.server.resources.requests.memoryMemory request128Mi
vault.server.resources.requests.cpuCPU request100m
vault.server.resources.limits.memoryMemory limit256Mi
vault.server.resources.limits.cpuCPU limit250m
vault.server.dataStorage.sizePVC size for Raft data1Gi
vault.server.dataStorage.storageClassStorage class (uses cluster default if unset)null
vault.server.service.typeKubernetes service typeClusterIP
vault.server.service.portService port8200
**Example**: ``` curl -s https://apono-public.s3.amazonaws.com/local-apono-vault/install.sh | bash -s -- \ --kube-context my-cluster \ -n apono-vault \ --set vault.server.image.tag=2.5.1 \ --set vault.server.resources.requests.memory=128Mi \ --set vault.server.resources.requests.cpu=100m \ --set vault.server.resources.limits.memory=256Mi \ --set vault.server.resources.limits.cpu=250m \ --set vault.server.dataStorage.size=5Gi \ --set vault.server.service.type=ClusterIP \ --set vault.server.service.port=8200 ```
#### Record installation output After installation is complete, the output displays the connector configuration values you need to integrate Apono Vault. Record the values below. | Setting | Description | Example | | ---------------- | ------------------------------------------------------ | ------------------------------------------------------- | | **Internal URL** | Cluster-internal URL for the vault | `http://apono-vault.apono-vault.svc.cluster.local:8200` | | **External URL** | Optional externally accessible vault endpoint | β€” | | **Namespace** | Kubernetes namespace where the vault was deployed | `apono-vault` | | **Secret Name** | Kubernetes secret containing the `AppRole` credentials | `apono-vault-role` | *** ### Integrate Apono Vault {% hint style="success" %} You can also use the steps below to integrate with Apono using Terraform. In step **11**, instead of clicking **Confirm**, follow the **Are you integrating with Apono using Terraform?** guidance. {% endhint %} Follow these steps to complete the integration: 1. On the [**Catalog**](https://app.apono.io/catalog/connect-integration/apono-vault) tab, click **Apono Vault**. The **Connect Integration** page appears. 2. Under **Discovery**, select one or both of the Apono Vault resource types (**Secret** and **Management**). {% hint style="warning" %} Users granted access to a resource type will be able to perform [different actions](#management-access) depending on their permission level. Granted permissions apply **only** to the secrets requested by the user. {% endhint %} 3. Click **Next**. The **Apono connector section** expands. 4. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located. {% hint style="success" %} If the desired connector is not listed, click **+ Add new connector** and follow the instructions to [install the connector](https://docs.apono.io/docs/kubernetes-environment/apono-connector-for-kubernetes). {% endhint %} 5. Click **Next**. The **Integration Config** section expands. 6. Define the **Integration Config** settings.
SettingDescription
Integration NameUnique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Vault Internal URLCluster-internal vault endpoint

Copy this value from the installation output.
Vault External URLOptional external endpoint if the vault service is exposed outside the cluster

Copy this value from the installation output.
7. Click **Next**. The **Secret Store** section expands. 8. Enter your Kubernetes secret in the **Secret Store**.
FieldDescription
Namespace

Kubernetes namespace where the vault is deployed


Copy this value from the installation output.

NameKubernetes secret containing the AppRole credentials

Copy this value from the installation output.
9. Click **Next**. The **Get more with Apono** section expands. 10. Define the **Get more with Apono** settings.
SettingDescription
Custom Access Details(Optional) Instructions explaining how to access this integration's resources

Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters.

To view the message as it appears to end users, click Preview.
Integration Owner

(Optional) Fallback approver if no resource owner is found

Follow these steps to define one or several integration owners:

  1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
  2. From the Value dropdown menu, select one or multiple users or groups.


NOTE: When Resource Owner is defined, an Integration Owner must be defined.

Resource Owner

(Optional) Group or role responsible for managing access approvals or rejections for the resource

Follow these steps to define one or several resource owners:

  1. Enter a Key name. This value is the name of the tag created in your cloud environment.
  2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated.

    Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.


NOTE: When this setting is defined, an Integration Owner must also be defined.

11. Click **Confirm**.
πŸ’‘Are you integrating with Apono using Terraform? If you want to integrate with Apono using Terraform, follow these steps instead of clicking **Confirm**: 1. At the top of the screen, click **View as Code**. A modal appears with the completed Terraform configuration code. 2. Click to copy the code. 3. Make any additional edits. 4. Deploy the code in your Terraform. Refer to [Integration Config Metadata](https://app.gitbook.com/s/MwlUUTWervcv32GebSwo/integration-metadata/apono-vault) for more details about the schema definition.
Now that you have completed this integration, you can [create access flows](https://docs.apono.io/docs/access-flows/access-flows) that grant permission to your Apono Vault secrets. Users who are granted access can [manage secrets](#manage-secrets-in-apono-vault) using the Apono CLI. *** ### Manage secrets in Apono Vault Users can perform different actions in Apono Vault depending on the resource types and permissions they have been granted through an access flow. {% tabs %} {% tab title="Management access" %} Users granted access to the **Management** resource type can manage secrets within the vault. However, their available actions depend on their granted permissions. | Permission | List | Create | Fetch | Update | Delete | | ------------- | ---- | ------ | ----- | ------ | ------ | | **Admin** | βœ… | βœ… | βœ… | βœ… | βœ… | | **ReadWrite** | βœ… | βœ… | βœ… | βœ… | ❌ | | **ReadOnly** | βœ… | ❌ | βœ… | ❌ | ❌ | **List secrets**: ``` apono vault list --vault-id "" ``` **Create a secret**: ``` apono vault create / \ --vault-id "" \ --value '{"key": "value"}' ``` **Fetch a secret**: ``` apono vault fetch / \ --vault-id "" ``` **Update a secret**: ``` apono vault update / \ --vault-id "" \ --value '{"key": "new-value"}' ``` **Delete a secret**: ``` apono vault delete / \ --vault-id "" ``` {% endtab %} {% tab title="Secret access" %} Users granted the **Secret** resource type receive `ReadOnly` permissions and can fetch specific secrets. ``` apono vault fetch --vault-id "" ``` {% endtab %} {% endtabs %} *** ### Troubleshooting Apono Vault Expand the sections below to troubleshoot common issues. Contact Apono Support if you require additional help.
Initialization job failed Run the following command to check the initialization job logs. ``` kubectl logs job/apono-vault-init -n apono-vault ```
Vault does not auto-unseal after restart Run the following command to verify the unseal secret contains real values. ``` kubectl get secret apono-vault-unseal -n apono-vault \ -o jsonpath='{.data.unseal-key}' | base64 -d ``` If the value is `placeholder`, the initialization job has failed. Re-run the initialization. ``` kubectl delete job apono-vault-init -n apono-vault helm upgrade apono-vault apono/apono-vault -n apono-vault ```
Pod stuck in CrashLoopBackOff Run the following command to check the vault pod logs. ``` kubectl logs -n apono-vault apono-vault-0 ```
Raft lock file error If a vault pod is force-deleted, a stale Raft lock file may remain. Run the following command to reinstall the vault. ``` helm uninstall apono-vault -n apono-vault kubectl delete pvc -n apono-vault data-apono-vault-0 ``` Then, reinstall the vault using one of the deployment methods above. {% hint style="danger" %} Deleting the PVC **permanently removes** all vault data. {% endhint %}
*** ### Uninstall Apono Vault {% hint style="danger" %} Deleting the PVC **permanently removes** all vault data. {% endhint %} Follow these steps to uninstall Apono Vault: 1. Run the following command to uninstall the vault deployment. ``` helm uninstall apono-vault -n apono-vault ``` 2. (Optional) Run the following command to fully clean the environment. ``` kubectl delete pvc -n apono-vault data-apono-vault-0 kubectl delete secret -n apono-vault apono-vault-unseal apono-vault-role kubectl delete namespace apono-vault ```