Hi,
I am using vault(1.5.2) and vault-agent(0.5.0) running in a k8s …I would like to injects secrets to my application but when I checked vault-agent-init 's logs I received an error.
URL: GET http://vault.dev.svc:8200/v1/sys/internal/ui/mounts/secret/hub-myapp/database
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/hub-myapp/database/"
2020/10/16 16:06:55.389684 [WARN] (view) vault.read(secret/hub-myapp/database): vault.read(secret/hub-myapp/database): Error making API request.
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
hub-myapp-dev-cdf8565dd-qhrp5 0/2 Init:1/2 0 12m
vault-0 1/1 Running 0 153m
vault-agent-injector-84c7b7cb4d-q62j8 1/1 Running 0 153m
I can able to read policy and secret inside vault’s pod.
/ $ vault policy read hub-test
path "secret/hub-myapp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
/ $ vault kv get secret/hub-myapp/database
============ Data ============
Key Value
--- -----
database_password_dev xxxx
database_username_dev xxx
/ $
Here is the annotations that I specify in my app.
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-database: "secret/hub-myapp"
vault.hashicorp.com/agent-inject-template-database: |
{{`{{- with secret "secret/hub-myapp/database" -}}
{
"database_username_dev" : ".Data.database_username_dev",
"database_password_dev" : ".Data.database_password_dev"
}
{{- end }}`}}
vault.hashicorp.com/role: "hub-myapp"