403 permission denied when you configure Vault Injector to connect to external Vault

When I was trying to inject secrets from Vault to Kubernetes and with following the guidelines here [ Integrate a Kubernetes Cluster with an External Vault]. I have faced issues with 403 permission denied when the vault injector pod trying to auth the vault server using vault kubernetes auth while it was trying to run a PUT request against /v1/auth/kubernetes/login. I followed all the steps in the guidelines. what could be the solution for this problem?

In this guideline, both kubernetes and vault are installed on the same server. However, in my example, the vault and kubnernetes environments are different.

I think the issiur attribute will change, but is the problem here?
issuer=“https://kubernetes.default.svc.cluster.local

$ vault write auth/kubernetes/config
token_reviewer_jwt="$TOKEN_REVIEW_JWT"
kubernetes_host="$KUBE_HOST"
kubernetes_ca_cert="$KUBE_CA_CERT"
issuer=“https://kubernetes.default.svc.cluster.local

You are right, the issuer is the problem here.
Since your use case is (and correct me if I am wrong) based on a secret-based service account token you can disable local issuer validation.
I would also recommend to read the new documentation surrounding the changes.

local issiur validation solution worked. But the error i am facing now is “auth.kubernetes.auth_kubernetes_1dabe3b7: login unauthorized due to: Post “https://xxxxxxxx:6443/apis/authentication.k8s.io/v1/tokenreviews”: x509: certificate signed by unknown authority”.
what could be the reason for this error? how can i solve this certificate error?

thank you for help.

You need to add Kubernetes’s CA certificate to the server making the request.

1 Like