Creation of dynamic secrets in a different namespace than the vault secrets operator

I’m currently faced with an issue of vaultAuthRef. I created the vault secrets operator in namespaceA and I want to create my VaultDynamicSecret resource in namespaceB. The installation of the Vault Secrets Operator is done fine and complete. however when I try to install the VaultDynamicSecret in a different namespace other than that of the vault secrets operator, the VaultAuthRef field doesn’t seem to fine the vaultAuth resource. it seems to be looking for it in the same namespace as VaultDynamicSecret. When I prefix it with the namespace, it now reads the namespace as a service account and now throws an error that it can’t find the service account.
This is how I install the VSO
helm upgrade --install --namespace external-secret vault-secrets-operator --values values.yaml hashicorp/vault-secrets-operator --version 0.3.1

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: "vault-dynamic-secret-example"
  namespace: "my-test"
spec:
  namespace: "vault/namespace/"
  vaultAuthRef: external-secret/default
  mount: "aws"
  path: "creds/aws-role-here"
  destination:
    name: "my-test-secret"
    create: true

kindly help me figure this out

Hi @dvdmkbyl,

Sorry to hear that you are having an issue with the Operator, and thanks for bringing it to our attention.

VSO is looking for the serviceAccount in the same namespace as your VaultDynamicSecret. If it does not exist, it will fail to authenticate to Vault. If you create the serviceAccount in the same namespace as your VaultDynamicSecret, VSO will attempt to authenticate using it.

Please let us know if that helps.

Thanks,

Ben

that doesn’t sound ideal. so if I have 50 namespaces, I’ll have to have 50 service accounts that authenticate to vault.
Is there another way?