Kubernetes Vault Injector with External Vault (Hashicorp Vault Cloud/Platform) 403 "permission denied"

Hi, I try to connect my external vault (Hashicorp Vault Platform, starter tier) to kubernetes (EKS) so I could consume data from the external vault in the pods but when I try to start the application with the vault side-car container it stucks in Init:0/1 status.

-------------
APP LOG
-------------

2022-08-25T17:21:16.218Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.
  |
  | URL: PUT https://vault-cluster-public-vault-a1879003.49001524.z1.hashicorp.cloud:8200/v1/auth/kubernetes/login
  | Code: 403. Errors:
  |
  | * permission denied
   backoff=1m57.65s
2022-08-25T17:23:13.877Z [INFO]  auth.handler: authenticating
2022-08-25T17:23:13.952Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.
  |
  | URL: PUT https://vault-cluster-public-vault-a1879003.49001524.z1.hashicorp.cloud:8200/v1/auth/kubernetes/login
  | Code: 403. Errors:
  |
  | * permission denied
   backoff=3m21.16s
-------------
INJECTOR LOG
-------------

2022-08-25T15:27:28.243Z [INFO]  handler.auto-tls: Generated CA
2022-08-25T15:27:28.247Z [INFO]  handler: Starting handler..
Listening on ":8080"...
2022-08-25T15:27:28.343Z [INFO]  handler.certwatcher: Updated certificate bundle received. Updating certs...
2022-08-25T15:27:28.351Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2022-08-25T15:27:28.352Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2022-08-25T15:27:28.352Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2022-08-25T15:27:28.352Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2022-08-25T15:27:28.352Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2022-08-25T15:50:33.558Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T16:02:53.020Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T16:05:34.659Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T16:30:29.439Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T17:14:19.475Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T17:18:51.680Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s
2022-08-25T17:54:57.203Z [INFO]  handler: Request received: Method=POST URL=/mutate?timeout=30s

I always get 403 permission denied despite following this step: Integrate a Kubernetes Cluster with an External Vault | Vault - HashiCorp Learn.

Things I verified:

  • JWT that was used to configure vault auth backend is correct
  • CA that was used to configure vault auth backend is correct
  • The service account assigned to my app that I do a curl from exists
  • The service account assigned to my app that I do a curl from is setup correctly in vault auth backend role section with correct namespace

Is there a step I missed?

Screenshot:

Hi @gibran! Did you set the namespace annotation on your Pod? From the second screenshot it looks like it should be admin:

vault.hashicorp.com/namespace: "admin"