Hi,
I am trying to configure Kubernetes auth to our vault cluster. As this has to be possible from various Kubernetes Clusters (thus external vault cluster), I decided to go with OIDC auth, but am getting the following error:
│ vault-agent-init 2022-06-16T18:15:29.578Z [INFO] auth.handler: authenticating │
│ vault-agent-init 2022-06-16T18:15:29.578Z [ERROR] auth.jwt: error removing jwt file: error="remove /var/run/secrets/kubernetes.io/serviceaccount/token: read-only file system" │
│ vault-agent-init 2022-06-16T18:15:29.585Z [ERROR] auth.handler: error authenticating: │
│ vault-agent-init error= │
│ vault-agent-init | Error making API request. │
│ vault-agent-init | │
│ vault-agent-init | URL: PUT https://<VAULT_URL>/v1/auth/<PATH>/login │
│ vault-agent-init | Code: 400. Errors: │
│ vault-agent-init | │
│ vault-agent-init | * error validating token: invalid audience (aud) claim: audience claim does not match any expected audience │
│ vault-agent-init backoff=6.48s
According to the docs my understanding is, that bound_audience should match the oidc_discovery_url (aka “ISSUER” in the docs) for external vault cluster. I have no idea why this is not working.
This is my current configuration:
jwt auth backend (terraform):
resource "vault_jwt_auth_backend" "oidc_auth_backend" {
description = "${var.mount_path} vault OIDC auth backend"
path = var.mount_path
type = "jwt"
oidc_discovery_url = var.oidc_discovery_url
default_role = "${var.mount_path}-role"
}
resource "vault_jwt_auth_backend_role" "oidc_auth_backend_role" {
backend = vault_jwt_auth_backend.oidc_auth_backend.path
role_name = "${var.mount_path}-role"
bound_audiences = [var.oidc_discovery_url]
role_type = "jwt"
user_claim = "sub"
bound_subject = "system:serviceaccount:${var.serviceaccount_namespace}:${var.serviceaccount_name}"
token_policies = var.token_policies
token_ttl = 3600
allowed_redirect_uris = [
"${var.vault_address}/ui/vault/auth/${var.mount_path}/oidc/callback",
"http://localhost:8250/oidc/callback"
]
}
testpod (kubernetes manifest yaml):
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: <namespace>
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/auth-type: "jwt"
vault.hashicorp.com/auth-config-path: "/var/run/secrets/kubernetes.io/serviceaccount/token"
vault.hashicorp.com/auth-path: "auth/<mount_path>"
vault.hashicorp.com/auth-config-role: "<auth_role>"
vault.hashicorp.com/agent-inject-secret-<file>: "<secret_path>/cert/<cert_serial>/raw/pem"
spec:
serviceAccountName: <serviceaccountname>
containers:
- name: nginx
image: nginx:1.14.2
Any help would be greatly appreciated!