Kubernetes auth method failing on EKS: 'service account unauthorized'


We’ve been running Vault with EKS clusters for a while now without issue, but we’re suddenly seeing that new/rebuilt clusters are unable to authenticate - Vault is reporting this error:

[ERROR] auth.kubernetes.auth_kubernetes_da4f474b: login unauthorized due to: lookup failed: service account unauthorized; this could mean it has been deleted or recreated with a new token

We’re also seeing this error in the EKS authenticator logs each time the vault-init container runs:

time="2021-02-19T10:51:15Z" level=warning msg="access denied" client="" error="input token was not properly formatted: token is missing expected \"k8s-aws-v1.\" prefix" method=POST path=/authenticate

Has anyone seen this before? Can post more configs if required (but they’re the same as for our other auth backends that are working without issue, so I’m a bit confused).



We are hitting this on our K8s cluster running on EKS. Any solution found for this issue? Is it a AWS EKS issue or Vault issue?