Retrieve secrets from Vault using csi driver returning "permission denied"

Vault
,
1

On my csi namespace, I have the following service accounts:

NAME                       SECRETS   AGE
app-teste                  1         46h
default                    1         47h
secrets-store-csi-driver   1         47h
vault                      1         47h
vault-csi-provider         1         47h

I only created the app-teste , the other ones were created by helm. Then binded a ClusterRoleBinding system:auth-delegator to the app-teste . Authenticated to vault using the same service account. Same for the pod. But still getting permission denied.

Warning  FailedMount  103s (x23 over 32m)   kubelet, <ip>  MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod csi/nginx-secrets-store-inline, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "k8s-secret": Error making API request.

URL: GET https://<vault-url>/v1/%!!(MISSING)E(MISSING)2%!C(MISSING)secret/data/k8s-secret%!!(MISSING)E(MISSING)2%!D(MISSING)
Code: 403. Errors:

* 1 error occurred:
  * permission denied
3

[update]
I can get a token using curl:

curl \
--request POST \
--data '{"jwt": "'$TOKEN_REVIEW_SJWT'", "role": "teste-role"}' \ http://<ip>:8200/v1/auth/kubernetes/login

I’m able to vault login <token> and read the secret vault read secret/data/k8s-secret. But when I deploy the pod to test it, still returning “permission denied”.

4

I was able to create the pod when I removed the double quotes from the SecretProviderClass.

objects: |
   - objectName: password
     secretPath: secret/data/k8s-secret/
     secretKey: password
1 Like