Warning VaultClientConfigError 6m40s (x18 over 17m) VaultStaticSecret Failed to get Vault auth login: Error making API request.
URL: PUT https://keycloak2.intra.douban.com:8200/v1/auth/borin/login
Code: 403. Errors:
I’m trying to troubleshoot this but it’s hard.
I’d like to start with the k8s auth method, checking if I can pass the authentication using
vault write -address=https://my-vault:8200 auth/borin/login role=borin-vso jwt=xxx
# it returns :
Error writing data to auth/borin/login: Error making API request.
URL: PUT https://my-vault:8200/v1/auth/borin/login
Code: 403. Errors:
* permission denied
Trouble shooting is hard, for some extra “hints” enable the vault-audit logs, while it is still cryptic - most values are HMAC encoded - at least you will see some of the transactions:
Using file and stdout since they are running in containers, they will end up wherever your k8s logs go.
You can also increase the vault log level in config - some errors end up in the system logs.
Additionaly, since vault is looping back to the k8s API to validate the JWT, there should be some errors in Kubernetes - though that’s not my expertise.
In the end, the understanding of what is going on is key.
Since you are not following the demo to the letter ( I see your auth path is borin ), It may help to how you set up the endpoint, link and role. What is your version of this: