Hi!
We are trying to revoke a token using the agent-revoke-on-shutdown annotation. When checking the events from the pod, we get a 403 error message when the revoke call is made:
/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self.
If we use the token that is found at /home/vault/.vault-token and make a curl request, everything is working as expected. Also, if we set the VAULT_TOKEN env var with the same value, the snippet above also works (/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self).
Any idea if there is an issue when using the agent-revoke-on-shutdown annotation?
Thank you!
Best regards!
You should show the exact content of the error message.
Everything else is working from the agent point of view: retrieving secrets, token renew and so on
That is pretty weird…
since when VAULT_TOKEN is not set, the Vault CLI should itself be loading the token from /home/vault/.vault-token and using it.
Since you are saying that:
VAULT_TOKEN=$(cat /home/vault/.vault-token) /bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self
works and
/bin/vault token revoke -address=http://vault-service.vault-namespace:8200 -self
does not, this would seem to suggest that:
- the vault CLI believes the home directory of the current user is something other than
/home/vault - or a token helper has been configured in
~/.vault
Hopefully this gives you some ideas to investigate in your environment.
Thank you for the hints. I will investigate and hopefully find the fix. 
The issue was related to the home directory, thank you!