Kubernetes Auth permission denied

Hi Team,

I am using Vault Open source version 1.9.2, which is deployed on our GKE cluster (Kubernetes) using HELM charts. For CD I am using ArgoCD.

I have enabled AUTH METHOD “Kubernetes” using below commands

kubernetesHost - https://:443

vault auth enable kubernetes

vault write auth/kubernetes/config
token_reviewer_jwt=“$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)”
kubernetes_host=“https://$KUBERNETES_PORT_443_TCP_ADDR:443”
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Issue:

The issue is whenever Vault pods gets restarted, I see the below Issues in Vault pod logs.

Error making API request
URL: PUT http://argoapp-vault.vault.svc:8200/v1/auth/kubernetes/login97
Code: 403. Errors:96|95| * permission denied 94backoff=4m52.44s

Am I missing anything here ?

This is normal - modern Kubernetes service account tokens are not valid forever.

If you are running Vault within the same Kubernetes cluster as the clients that are authenticating, you should not set a token_reviewer_jwt manually - instead allow Vault to read it from the changing files provided by Kubernetes, itself.