'errors': ['claim "iss" is invalid']

revit13 · July 1, 2021, 7:21am

When authenticating a service-account against Vault in kind cluster v0.11.0 I get error ‘claim “iss” is invalid’ because kubernetes auth method needs to be configured with issuer:
vault write auth/kubernetes/config issuer=“https://kubernetes.default.svc.cluster.local” kubernetes_host=“https://kubernetes.default.svc:443” as mentioned in Retrieve HashiCorp Vault Secrets with Kubernetes CSI

however when using the issuer configuration on kind v0.10.0 I also get this error. is there a way to configure kubernetes auth method that will satisfy both version of kind? Thanks

tomhjp · July 16, 2021, 1:18pm

I’m afraid not. If the different versions are configured with different --service-account-issuer values for kube-apiserver, then you need to set different issuers for the kubernetes auth mounts. I haven’t tested this, but you might be able to override the default --service-account-issuer flag value using a kind config file:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          service-account-issuer: https://kubernetes.default.svc.cluster.local

See kind docs for more details on that.

Of course your other alternative would be to use multiple kubernetes auth mounts, one for each cluster.

Topic		Replies	Views
Vault CSI Volume Configuration Issue Vault csi	2	836	June 16, 2021
Please help me debug "claim iss is invalid" Vault	11	14774	January 5, 2022
"claim \"iss\" is invalid" Vault	0	257	August 4, 2021
Could someone help with Kubernetes Auth / HCP Vault Vault k8s , vault	6	228	July 13, 2023
Question about Vault 0.11.0 and Kubernetes 1.21.9 compatibility Vault k8s , vault	4	421	April 6, 2022

'errors': ['claim "iss" is invalid']

Related topics