reference deployment

HashiCorp Vault on Amazon EKS

A unified interface to manage and encrypt secrets on Amazon EKS

This Partner Solution deploys a flexible, scalable Amazon Web Services (AWS) Cloud environment to Amazon Elastic Kubernetes Service (Amazon EKS) and launches HashiCorp Vault using HashiCorp Vault Helm chart.

HashiCorp Vault lessens the need for static, hardcoded credentials by using trusted identities to centralize passwords and control access. It encrypts sensitive data—both in transit and at rest—using centrally managed and secured encryption keys through a single workflow and API. You can access key-value stores and generate AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) credentials.

This Partner Solution was developed by HashiCorp Inc. in partnership with AWS. HashiCorp is an AWS Partner.

  •  What you'll build
  • This Partner Solution sets up the following HashiCorp Vault environment on AWS. Note that this module is based on the Modular and Scalable Amazon EKS Architecture Partner Solution.

    • A highly available architecture that spans three Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • In one public subnet:
      • A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets. The bastion host is also configured with the Kubernetes kubectl command line interface for managing the Kubernetes cluster.
    • In the private subnets:
      • A group of Kubernetes nodes.
    • An Amazon EKS cluster, which provides the Kubernetes control plane.

    * The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps.

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Launch the Partner Solution. The stack takes about 1.5 hours to deploy. Before you create the stack, choose the AWS Region from the top toolbar. Choose one of the following options:
    3. Review audit logs.
    4. Test the deployment.
    5. Get started with HashiCorp EKS Vault.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • This Partner Solution uses the open-source version of HashiCorp Vault, which does not require a license.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?