I couldn’t find a public repo for the Vault tutorial docs, so I’m filing here.
In step 2.3 of the Recommended Pattern for Vault ACL Policy Path Templates, the instructions call for creating a policy named
kubernetes-kv-read. This should be
$CLUSTER_NAME-kv-read, as this is the policy name subsequent steps expect:
vault write auth/$CLUSTER_NAME/role/$APP_NAMESPACE-$APP_NAME \ bound_service_account_names=$APP_NAME \ bound_service_account_namespaces=$APP_NAMESPACE \ policies=$CLUSTER_NAME-kv-read \ period=120s
($CLUSTER_NAME is set to
minikube in a prior step, so this role never attaches a policy and the demo results in permissions errors.)