HashiCorp Vault AppRole for External Secrets Operator

January 28, 2026•Salih Kayiplar

vault

kubernetes

secrets

security

The Problem

External Secrets Operator needs a way to authenticate with Vault that doesn't expire and doesn't require human intervention. AppRole is the recommended auth method for machine-to-machine authentication.

Setup

Enable AppRole auth and create a role with a long-lived secret ID:

# Enable AppRole auth method
vault auth enable approle

# Set long default TTLs for the AppRole mount
vault auth tune -default-lease-ttl=999999999 -max-lease-ttl=999999999 approle

# Create the role with appropriate token settings
vault write auth/approle/role/external-secrets-operator \
  secret_id_ttl=999999999 \
  secret_id_num_uses=999999999

vault write auth/approle/role/external-secrets-operator \
  token_num_uses=20 \
  token_ttl=20m \
  token_max_ttl=30m \
  token_explicit_max_ttl=30m

# Generate the secret ID
vault write -f auth/approle/role/external-secrets-operator/secret-id

# Get the role ID
vault read auth/approle/role/external-secrets-operator/role-id

# Assign policies
vault write -f auth/approle/role/external-secrets-operator policies=admin

Test the Login

vault write auth/approle/login \
  role_id=<your-role-id> \
  secret_id=<your-secret-id>

Kubernetes Secret Store

Create the ClusterSecretStore pointing to Vault:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-secret-store
spec:
  provider:
    vault:
      server: "https://vault.example.com"
      path: "secret"
      version: "v2"
      auth:
        appRole:
          path: "approle"
          roleRef:
            name: vault-approle
            key: role-id
            namespace: external-secrets
          secretRef:
            name: vault-approle
            key: secret-id
            namespace: external-secrets

Gotcha

The token_num_uses=20 means each token can only be used 20 times before ESO needs to re-authenticate. If you have many secrets syncing frequently, increase this value or set it to 0 (unlimited). Watch for 403 permission denied errors in ESO logs as a sign the token is exhausted.

Ready to scale your cloud infrastructure?

Let's discuss how CloudCops can help you build secure, scalable, and modern DevOps workflows. Schedule a free discovery call today.

Book a Meeting with an Expert

Related Snippets

Access Kubernetes Nodes Without SSH

Get a root shell on K8s nodes when SSH is blocked — kubectl debug, nsenter, and systemctl access.

Kubernetes Useful Commands Cheat Sheet

Battle-tested kubectl commands for daily cluster operations — pod cleanup, version checks, network debugging, bulk patching, and more.

Zalando Postgres Operator: Backup & Restore on Azure

Complete guide to setting up WAL-G backups with Azure Blob Storage for the Zalando Postgres Operator, including restore procedures and troubleshooting.