Dynamically Create ClusterRoleBindings for Short-lived Vault-Generated Service Accounts in Kubernetes

Hello everyone,

I’m currently working on integrating HashiCorp Vault with Kubernetes and have encountered a specific challenge regarding dynamically created service accounts. My Terraform setup configures Vault to generate short-lived service accounts and roles in Kubernetes. However, these service accounts are dynamically named (e.g., v-token-bo-my-role-1701471544-miqocgyiwd0omw7apwcsvjko) and change with each creation.
Current Setup:

  • Terraform scripts for Vault mounts, generic secrets, and a Kubernetes secret backend role.
  • Vault is configured to create an entire Kubernetes object chain, including roles, tokens, service accounts, and role bindings.
    When creating the role in Vault’s Kubernetes engine, there are three options:
  1. Generate token only using existing service account
  2. Generate token, service account, and role binding objects
  3. Generate entire Kubernetes object chain

I’m using the “Generate entire Kubernetes object chain” option. Does this only create the ClusterRole and not the ClusterRoleBinding? I’ve specified the generated role rules as follows:

"rules": [
    "apiGroups": [""],
    "resources": ["pods"],
    "verbs": ["list", "get", "create"]

However, I am only able to list resources in the default namespace after creating the token. I checked clusterrole which vault creates but no clusterrolebinding to bind to this dynamic service account.
It seems like the ClusterRoleBinding is not being created automatically.
When I try to list pods in vault namespace eg:

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:v-token-bo-my-role-1701472825-zow5wi03awth61pmddexfxnh" cannot list resource "pods" in API group "" in the namespace "vault"

If I use pre-generated service-account to create short lived tokens, everything works as expected.

My question is;
How can I ensure that ClusterRoleBindings are dynamically created for these short-lived, Vault-generated service accounts?
Ps: I use boundary to retrieve tokens to authenticate to the cluster.

Thank you in advance for your help!

anyone have any idea on this?

Hi @lucardcoder ,

If you take Terraform out of the mix for the moment, does it work with just Vault + Kubernetes? Curious if something is missing from TF or maybe your Vault service account in Kubernetes does not have sufficient permission (see the second example under Setup):

This tutorial can walk through the manual steps: