403 when using vault.hashicorp.com/agent-revoke-on-shutdown

We are trying to revoke a token using the agent-revoke-on-shutdown annotation. When checking the events from the pod, we get a 403 error message when the revoke call is made:
/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self.
If we use the token that is found at /home/vault/.vault-token and make a curl request, everything is working as expected. Also, if we set the VAULT_TOKEN env var with the same value, the snippet above also works (/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self).
Any idea if there is an issue when using the agent-revoke-on-shutdown annotation?
Thank you!
Best regards!

You should show the exact content of the error message.

Thank you for your response. Here are the logs from the event section of the pod:

Everything else is working from the agent point of view: retrieving secrets, token renew and so on

That is pretty weird…

since when VAULT_TOKEN is not set, the Vault CLI should itself be loading the token from /home/vault/.vault-token and using it.

Since you are saying that:

VAULT_TOKEN=$(cat /home/vault/.vault-token) /bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self

works and

/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self

does not, this would seem to suggest that:

  • the vault CLI believes the home directory of the current user is something other than /home/vault
  • or a token helper has been configured in ~/.vault

Hopefully this gives you some ideas to investigate in your environment.

Thank you for the hints. I will investigate and hopefully find the fix. :+1:

The issue was related to the home directory, thank you!