I am trying to get External Secrets Operator (v0.9.16) to work with Hashicorp Vault with the following characteristics; a dynamic secrets engine (GCP) and JWT authentication. I have it working however only with a very permissive policy (allow read on ‘*’). Without this policy Clearly this is not at all secure. Is there a way to enable debugging on Vault to see what path or paths ESO is reading then allow only those?
In case this is relevant to the question my Vault auth config & ESO VaultDynamicSecret manifest is below.
vault auth enable \
-path=jwt-eso-test \
-description="JWT auth method to be used to test ESO" \
jwt
vault write auth/jwt-eso-test/role/dynamic-test \
role_type=jwt \
user_claim=sub \
token_type=batch \
token_policies=eso-test \
ttl=1m \
bound_audiences=external-secrets-eso-test \
bound_subject=system:serviceaccount:external-secrets:eso-test \
verbose_oidc_logging=true
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
name: vault-generator-jwt
namespace: external-secrets
spec:
path: gcp/impersonated-account/<account>/token
provider:
auth:
jwt:
kubernetesServiceAccountToken:
audiences:
- external-secrets-eso-test
serviceAccountRef:
name: eso-test
namespace: external-secrets
path: jwt-eso-test
role: dynamic-test
namespace: <namespace>
server: https://vault.<company URL>