Kam Kyrala

Wouldn't it be better to just store the unseal keys as a secret? Seems less cloud specific to do it that way.

I'd be new to doing that, but can learn if you can point me to the existing document (if one exists) for using kube2iam.

Assuming Vault is in an HA state, would it be possible to store as kubernetes secrets as long as you have secrets encrypted? Secrets can be encrypted with Vault now:...

Wouldn't the bootstrap process stay the same? It would just reinforce that an org using a KMS should be encrypting their kubernetes secrets.