External Vault unauthorized - Pod's service account

jlsan92 · June 25, 2021, 12:29pm

Hi, quick question. When creating a Kubernetes auth role, and then trying to use the sidecar, I get a 403, and this error message in the Vault cluster

User \"system:serviceaccount:my-namespace:my-app\" cannot create resource \"tokenreviews\"

Of course, once I create the role binding (system:auth-delegator) into this SA, everything starts to work, but I’m curious bc nowhere in the documentation says that you need to add this permission to each deployment you inject the sidecar into.

I thought the system:auth-delegator role was only required once (for the Kubernetes Auth config). Any clues why I also need to add this binding to each of my services?

My K8s cluster is v1.18.18, Vault cluster (external) v1.7.0

Thanks in advance.

tomhjp · June 29, 2021, 10:17am

Hi, good question! It looks to me like you might be encountering the default behaviour of the token_reviewer_jwt parameter for configuring the k8s auth mount, in particular:

If not set, the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.

If you’ve used vault-helm for installation, the Vault server’s own service account is assigned system:auth-delegator so that you can pass its own JWT for this parameter. Otherwise, you can set up your own service account and use that service account’s JWT when configuring the k8s auth mount. Hopefully that should avoid the need to assign that role more than once!

Topic		Replies	Views
Kubernetes 1.22/Vault 1.11.2 auth permission denied Vault k8s	1	371	November 21, 2022
Question about Kubernetes Auth Method Vault k8s , vault	0	357	April 8, 2021
K8s auth backend security/deployment best practices Vault	0	296	October 28, 2020
Vault grant manually k8s jwt token once it is no longer valid Vault	2	1556	August 8, 2020
External Vault Kubernetes Auth Vault k8s	17	1264	June 21, 2023

External Vault unauthorized - Pod's service account

Related topics