External Vault unauthorized - Pod's service account

Hi, quick question. When creating a Kubernetes auth role, and then trying to use the sidecar, I get a 403, and this error message in the Vault cluster

User \"system:serviceaccount:my-namespace:my-app\" cannot create resource \"tokenreviews\"

Of course, once I create the role binding (system:auth-delegator) into this SA, everything starts to work, but I’m curious bc nowhere in the documentation says that you need to add this permission to each deployment you inject the sidecar into.

I thought the system:auth-delegator role was only required once (for the Kubernetes Auth config). Any clues why I also need to add this binding to each of my services?

My K8s cluster is v1.18.18, Vault cluster (external) v1.7.0

Thanks in advance.

Hi, good question! It looks to me like you might be encountering the default behaviour of the token_reviewer_jwt parameter for configuring the k8s auth mount, in particular:

If not set, the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.

If you’ve used vault-helm for installation, the Vault server’s own service account is assigned system:auth-delegator so that you can pass its own JWT for this parameter. Otherwise, you can set up your own service account and use that service account’s JWT when configuring the k8s auth mount. Hopefully that should avoid the need to assign that role more than once!