Kubernetes OIDC auth fails: audience claim does not match any expected audience


I am trying to configure Kubernetes auth to our vault cluster. As this has to be possible from various Kubernetes Clusters (thus external vault cluster), I decided to go with OIDC auth, but am getting the following error:

│ vault-agent-init 2022-06-16T18:15:29.578Z [INFO]  auth.handler: authenticating                                                                                                                                                             │
│ vault-agent-init 2022-06-16T18:15:29.578Z [ERROR] auth.jwt: error removing jwt file: error="remove /var/run/secrets/kubernetes.io/serviceaccount/token: read-only file system"                                                             │
│ vault-agent-init 2022-06-16T18:15:29.585Z [ERROR] auth.handler: error authenticating:                                                                                                                                                      │
│ vault-agent-init   error=                                                                                                                                                                                                                  │
│ vault-agent-init   | Error making API request.                                                                                                                                                                                             │
│ vault-agent-init   |                                                                                                                                                                                                                       │
│ vault-agent-init   | URL: PUT https://<VAULT_URL>/v1/auth/<PATH>/login                                                                                                                        │
│ vault-agent-init   | Code: 400. Errors:                                                                                                                                                                                                    │
│ vault-agent-init   |                                                                                                                                                                                                                       │
│ vault-agent-init   | * error validating token: invalid audience (aud) claim: audience claim does not match any expected audience                                                                                                           │
│ vault-agent-init    backoff=6.48s  

According to the docs my understanding is, that bound_audience should match the oidc_discovery_url (aka “ISSUER” in the docs) for external vault cluster. I have no idea why this is not working.

This is my current configuration:

jwt auth backend (terraform):

resource "vault_jwt_auth_backend" "oidc_auth_backend" {
    description         = "${var.mount_path} vault OIDC auth backend"
    path                = var.mount_path
    type                = "jwt"
    oidc_discovery_url  = var.oidc_discovery_url
    default_role        = "${var.mount_path}-role"

resource "vault_jwt_auth_backend_role" "oidc_auth_backend_role" {
  backend = vault_jwt_auth_backend.oidc_auth_backend.path
  role_name = "${var.mount_path}-role"
  bound_audiences = [var.oidc_discovery_url]
  role_type = "jwt"
  user_claim = "sub"
  bound_subject = "system:serviceaccount:${var.serviceaccount_namespace}:${var.serviceaccount_name}"
  token_policies = var.token_policies
  token_ttl = 3600
  allowed_redirect_uris = [

testpod (kubernetes manifest yaml):

apiVersion: v1
kind: Pod
  name: nginx
  namespace: <namespace>
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/auth-type: "jwt"
    vault.hashicorp.com/auth-config-path: "/var/run/secrets/kubernetes.io/serviceaccount/token"
    vault.hashicorp.com/auth-path: "auth/<mount_path>"
    vault.hashicorp.com/auth-config-role: "<auth_role>"
    vault.hashicorp.com/agent-inject-secret-<file>: "<secret_path>/cert/<cert_serial>/raw/pem"
  serviceAccountName: <serviceaccountname>
  - name: nginx
    image: nginx:1.14.2

Any help would be greatly appreciated!

has been resolved in JWT/OIDC config for Kubernetes fails with audience claim does not match any expected audience · Issue #206 · hashicorp/vault-plugin-auth-jwt · GitHub