Kubernetes Secrets Engine and Multi Cluster Config

Hi,

I was reading through the docs for the Kubernetes Secrets Engine in order to dynamically generate service account tokens and was curious if there was any further reading on a configuration that looks something like this…

Let’s say we have ~10 Kubernetes clusters and Vault is running on 1 of the 10, but we want Vault to be able to dynamically provision service account tokens across all 10 clusters. It does seem like the configuration of the Kubernetes Secrets Engine accepts a Kubernetes API server address aside from the one Vault is running on, but it seems to me the way for Vault to authorize with the remote server is just to pass a JWT? (basing this off of Vault provider docs)

Is the expectation if you’re using the Vault provider to configure this backend that we would pass long-lived service account JWTs into the config? As I see it now the Terraform provider doesn’t really work for this use case, but maybe i’m missing something.