Could someone help with Kubernetes Auth / HCP Vault

Vault
,
1

Hi folks, I’m wondering if I can get some help with setting Kubernetes Auth from EKS to HCP Vault? I keep getting {"errors":["permission denied"]} and I feel like I’ve tried just about everything. Any help would be appreciated!

The sources I’m following are below. I’ve set up service accounts and ran both commands below. At this point I’m really not sure what it could be. Do spaces/new lines affect the cert? Any help would be appreciated!

vault write auth/kubernetes/config token_reviewer_jwt=@token_reviewer_jwt.txt kubernetes_host=@host.txt kubernetes_ca_cert=@ca.crt disable_iss_validation="true" issuer=@issuer.txt

vault write auth/kubernetes/config token_reviewer_jwt=@token_reviewer_jwt.txt kubernetes_host=@host.txt kubernetes_ca_cert=@ca.crt

Main guide: Kubernetes auth method : Permission Denied error – HashiCorp Help Center

Other guides:

2

Are you aware that each of those commands is redundant with the other? Both of them overwrite the current configuration, so whichever is run last, sticks.

This looks wrong. It would be very easy to accidentally include a newline on the end of your hostname, and thereby break the communication between Vault and the Kubernetes API server, setting it that way.

Newlines are expected in a certificate, and I guess they might be tolerated at the end of a JWT (maybe), but there definitely shouldn’t be a newline at the end of a hostname.

3

@maxb , thanks for the reply. Ya, what I meant was that I tried it with and without disable_iss_validation="true" issuer=@issuer.txt and it didn’t work.

For the hostname, I double checked and tried it as a normal string and also didn’t work.

4

I’m out of ideas, then, short of turning the Vault log level up to TRACE, and seeing if anything useful is logged during authentication attempts.

5

Silly question, how do you view server logs in HCP Vault?

6

I’m not sure… I’ve always worked with self-hosted Vault.

7

No problem, maybe someone else knows. Thanks for your help.