Unable to login to HCP Vault using k8s service account token

Deidara · May 10, 2023, 2:31pm

I am trying to using k8s service account tokens to login into vault. I followed the configuration as mentioned in the documentation here

I get following error

* error validating token: error verifying token signature: no known key successfully validated the token signature

I have tried setting up first oidc_discovery_url as shown below

vault write auth/jwt/config oidc_discovery_url="${ISSUER}"

as well as

vault write auth/jwt/config \
   jwt_validation_pubkeys="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9...
-----END PUBLIC KEY-----"

Eventually I want to use k8s service account tokens for machine-to-machine API authorization by leveraging vault’s ability to issue access_tokens after successfully validating service account jwts.
However, I am stuck at this initial phase. Am i doing something wrong?

maxb · May 10, 2023, 3:12pm

Hi,

I guess something must be set up wrong since it isn’t working. But, please take another look through your message - all you’ve really told us is that you set Vault up as per the linked documentation, and you got a fairly generic error saying

At that point, it’s difficult to make any useful suggestion other than “Maybe the token wasn’t actually signed by the key(s) you configured then?”.

People on this forum will generally try to help, but we’re not mind readers, and we can’t see your computer screen. Unless you give more details, it’s difficult to make any useful suggestions.

Deidara · May 11, 2023, 11:38am

Hi,
I am sorry, I didn’t know what else I could provide in this regard. In terms of setup, I have a kubernetes cluster with a Pod running that mounts a project volume service account token.
The OIDC endpoint of the cluster is publicly discoverable.
I followed the documentation again and this time I was able to login to vault using service account token and vault cli.
However, I am still unable to login via JWT/OIDC API.

curl \                                                                                                                                                                 
    --request POST \
    --data @payload.json \
          "${VAULT_ADDR}/v1/auth/jwt/login" | jq

and get following response

{
  "errors": [
    "role \"demo\" could not be found"
  ]
}

Whereas I created this role in following way

vault write auth/jwt/role/demo \
        role_type=jwt \
        bound_audiences=vault \
        bound_subject="system:serviceaccount:my-namespace:my-serviceaccount" \
        user_claim=sub \
        token_policies=default \
	ttl="1h"

My follow up question would be, assuming I have obtained vault token by exchanging service account token, what are the possible ways I can use this vault token for accessing a protected HTTP api endpoint (I am assuming that I can somehow use vault tokens for protecting http APIs). Does this use-case make sense when it comes to vault?

maxb · May 11, 2023, 1:00pm

You say you created auth/jwt/role/demo, but the error

is direct evidence that no such role exists.

You mentioned HCP Vault… could it be that your vault CLI commands are being directed to a Vault namespace, but you’re not including that when you use curl manually?

Please execute

vault read -output-curl-string test

and paste the output, to see what the vault CLI thinks is a suitable curl command.

No. Vault tokens are only for talking to Vault itself.

Deidara · May 11, 2023, 1:08pm

Using the right curl worked. Thank you!

vault read -output-curl-string test

showed the right curl command including the namespace in it.