open-vault/website/content/docs/platform/k8s/csi/examples.mdx

---
layout: docs
page_title: Vault CSI Provider Examples
description: This section documents examples of using the Vault CSI Provider.
---

# Vault CSI Provider Examples

The following examples demonstrate how the Vault CSI Provider can be used.

~> A common mistake is to not install the CSI Secret Store Driver before using the Vault CSI Provider.

## File Based Dynamic Database Credentials

The following Secret Provider Class retrieves dynamic database credentials from Vault and
extracts the generated username and password. The secrets are then mounted as files in the
configured mount location.

```yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-db-creds
spec:
  provider: vault
  parameters:
    roleName: 'app'
    vaultAddress: 'https://vault.vault:8200'
    vaultCACertPath: '/vault/tls/ca.crt'
    objects: |
      - objectName: "dbUsername"
        secretPath: "database/creds/db-app"
        secretKey: "username"
      - objectName: "dbPassword"
        secretPath: "database/creds/db-app"
        secretKey: "password"
```

Next, a pod can be created to use this Secret Provider Class to populate the secrets in the pod:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app: demo
spec:
  selector:
    matchLabels:
      app: demo
  replicas: 1
  template:
    metadata:
      annotations:
      labels:
        app: demo
    spec:
      serviceAccountName: app
      containers:
        - name: app
          image: my-app:1.0.0
          volumeMounts:
            - name: 'vault-db-creds'
              mountPath: '/mnt/secrets-store'
              readOnly: true
      volumes:
        - name: vault-db-creds
          csi:
            driver: 'secrets-store.csi.k8s.io'
            readOnly: true
            volumeAttributes:
              secretProviderClass: 'vault-db-creds'
```

The pod mounts a CSI volume and specifies the Secret Provider Class (`vault-db-creds`) created above.
The secrets created from that provider class are mounted to `/mnt/secrets-store`. When this pod is
created the containers will find two files containing secrets:

- `/mnt/secrets-store/dbUsername`
- `/mnt/secrets-store/dbPassword`

## Environment Variable Dynamic Database Credentials

The following Secret Provider Class retrieves dynamic database credentials from Vault and
extracts the generated username and password. The secrets are then synced to Kubernetes secrets
so that they can be mounted as environment variables in the containers.

```yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-db-creds
spec:
  provider: vault
  secretObjects:
    - secretName: vault-db-creds-secret
      type: Opaque
      data:
        - objectName: dbUsername # References dbUsername below
          key: username # Key within k8s secret for this value
        - objectName: dbPassword
          key: password
  parameters:
    roleName: 'app'
    vaultAddress: 'https://vault.vault:8200'
    vaultCACertPath: '/vault/tls/ca.crt'
    objects: |
      - objectName: "dbUsername"
        secretPath: "database/creds/db-app"
        secretKey: "username"
      - objectName: "dbPassword"
        secretPath: "database/creds/db-app"
        secretKey: "password"
```

Next, a pod can be created which uses this Secret Provider Class to populate the secrets in the pod's environment:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app: demo
spec:
  selector:
    matchLabels:
      app: demo
  replicas: 1
  template:
    metadata:
      annotations:
      labels:
        app: demo
    spec:
      serviceAccountName: app
      containers:
        - name: app
          image: my-app:1.0.0
          env:
            - name: DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: vault-db-creds-secret
                  key: username
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: vault-db-creds-secret
                  key: password
          volumeMounts:
            - name: 'vault-db-creds'
              mountPath: '/mnt/secrets-store'
              readOnly: true
      volumes:
        - name: vault-db-creds
          csi:
            driver: 'secrets-store.csi.k8s.io'
            readOnly: true
            volumeAttributes:
              secretProviderClass: 'vault-db-creds'
```

The pod mounts a CSI volume and specifies the Secret Provider Class (`vault-db-creds`) created above.
The secrets created from that provider class are mounted to `/mnt/secrets-store`, additionally a Kubernetes
secret called `vault-db-creds` is created and referenced in two environment variables.