Deep Dive: Vault AppRole Auth for Kubernetes
This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. AppRole is a machine-oriented auth method. Unlike Kubernetes Auth (which requires Vault to call the K8s TokenReview API), AppRole uses a RoleID + SecretID pair — making it ideal when Vault cannot reach the Kubernetes API server. When to Use AppRole Over Kubernetes Auth Scenario Use AppRole? Vault is external and cannot reach K8s API ✅ Yes CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions) ✅ Yes Batch jobs or CronJobs needing Vault access ✅ Consider Cross-cloud authentication ✅ Yes Vault is in-cluster or can reach K8s API ❌ Use K8s Auth How AppRole Works ┌────────────────────────────────────────────────────────────┐ │ │ │ ┌────────────┐ ┌──────────────────┐ │ │ │ App Pod │ 1....