I couldn’t find a public repo for the Vault tutorial docs, so I’m filing here.
In step 2.3 of the Recommended Pattern for Vault ACL Policy Path Templates, the instructions call for creating a policy named kubernetes-kv-read. This should be $CLUSTER_NAME-kv-read, as this is the policy name subsequent steps expect:
vault write auth/$CLUSTER_NAME/role/$APP_NAMESPACE-$APP_NAME \
bound_service_account_names=$APP_NAME \
bound_service_account_namespaces=$APP_NAMESPACE \
policies=$CLUSTER_NAME-kv-read \
period=120s
($CLUSTER_NAME is set to minikube in a prior step, so this role never attaches a policy and the demo results in permissions errors.)
Thanks!