On my csi namespace, I have the following service accounts:
NAME SECRETS AGE app-teste 1 46h default 1 47h secrets-store-csi-driver 1 47h vault 1 47h vault-csi-provider 1 47h
I only created the app-teste , the other ones were created by helm. Then binded a ClusterRoleBinding system:auth-delegator to the app-teste . Authenticated to vault using the same service account. Same for the pod. But still getting permission denied.
Warning FailedMount 103s (x23 over 32m) kubelet, <ip> MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod csi/nginx-secrets-store-inline, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "k8s-secret": Error making API request. URL: GET https://<vault-url>/v1/%!!(MISSING)E(MISSING)2%!C(MISSING)secret/data/k8s-secret%!!(MISSING)E(MISSING)2%!D(MISSING) Code: 403. Errors: * 1 error occurred: * permission denied