Short-lived Kubernetes Service Account Tokens vs Tokenreview

If I use a projected service account token like

  projected:
    sources:
    - serviceAccountToken:
        path: vault-token
        expirationSeconds: 7200
        audience: vault  

und try using Use local service account token as the reviewer JWT, then this will probably not work, since the audience “vault” cannot be used to query the TokenReview API.

So if I want

• projected tokens
• don’t want to use long-lived Kubernetes tokens
• use a custom audience like “vault”.

I guess this cannot be done with Kubernetes auth method?

So do I have to switch to JWT?

Can you share a bit more about your setup? For example, where does Vault run in relation to your Kubernetes cluster(s)? Do you run multiple clusters? Multiple instances of Vault?

Using HCP Vault, therefore Vault is not running in that Kubernetes cluster. Currently there is only one cluster.
So “Use local token as reviewer JWT” is not an option ( terminology from Kubernetes - Auth Methods | Vault | HashiCorp Developer )
Would also like to avoid “Use long-lived token as reviewer JWT”

I think in that scenario, unless we have something coming I am not aware of, it looks like the recommendation for short lived tokens is JWT:

Update: As you are using HCP Vault, you are correct in that you cannot use the “local service account token” as it requires Vault to be deployed on the Kubernetes cluster.

You should be able to use a custom audience when configuring the Kubernetes auth method for: “Use local service account token as the reviewer JWT”.

I recently built a GitHub repo with various Kubernetes Auth method examples (in Terraform). In my example I was able to set audience: vault.

However, I did have trouble setting a custom audience with: “Use the Vault client’s JWT as the reviewer JWT”. When configuring this option, the audience must be equal/contain the Kubernetes issuer URL.

As @jonathanfrappier mentioned, JWT is always another option!