'errors': ['claim "iss" is invalid']

When authenticating a service-account against Vault in kind cluster v0.11.0 I get error ‘claim “iss” is invalid’ because kubernetes auth method needs to be configured with issuer:
vault write auth/kubernetes/config issuer=“https://kubernetes.default.svc.cluster.local” kubernetes_host=“https://kubernetes.default.svc:443” as mentioned in Retrieve HashiCorp Vault Secrets with Kubernetes CSI

however when using the issuer configuration on kind v0.10.0 I also get this error. is there a way to configure kubernetes auth method that will satisfy both version of kind? Thanks

1 Like

I’m afraid not. If the different versions are configured with different --service-account-issuer values for kube-apiserver, then you need to set different issuers for the kubernetes auth mounts. I haven’t tested this, but you might be able to override the default --service-account-issuer flag value using a kind config file:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
- role: control-plane
  - |
    kind: ClusterConfiguration
          service-account-issuer: https://kubernetes.default.svc.cluster.local

See kind docs for more details on that.

Of course your other alternative would be to use multiple kubernetes auth mounts, one for each cluster.