vault write auth/jwt/config \
jwt_validation_pubkeys="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9...
-----END PUBLIC KEY-----"
Eventually I want to use k8s service account tokens for machine-to-machine API authorization by leveraging vault’s ability to issue access_tokens after successfully validating service account jwts.
However, I am stuck at this initial phase. Am i doing something wrong?
I guess something must be set up wrong since it isn’t working. But, please take another look through your message - all you’ve really told us is that you set Vault up as per the linked documentation, and you got a fairly generic error saying
At that point, it’s difficult to make any useful suggestion other than “Maybe the token wasn’t actually signed by the key(s) you configured then?”.
People on this forum will generally try to help, but we’re not mind readers, and we can’t see your computer screen. Unless you give more details, it’s difficult to make any useful suggestions.
Hi,
I am sorry, I didn’t know what else I could provide in this regard. In terms of setup, I have a kubernetes cluster with a Pod running that mounts a project volume service account token.
The OIDC endpoint of the cluster is publicly discoverable.
I followed the documentation again and this time I was able to login to vault using service account token and vault cli.
However, I am still unable to login via JWT/OIDC API.
My follow up question would be, assuming I have obtained vault token by exchanging service account token, what are the possible ways I can use this vault token for accessing a protected HTTP api endpoint (I am assuming that I can somehow use vault tokens for protecting http APIs). Does this use-case make sense when it comes to vault?
You say you created auth/jwt/role/demo, but the error
is direct evidence that no such role exists.
You mentioned HCP Vault… could it be that your vault CLI commands are being directed to a Vault namespace, but you’re not including that when you use curl manually?
Please execute
vault read -output-curl-string test
and paste the output, to see what the vault CLI thinks is a suitable curl command.
No. Vault tokens are only for talking to Vault itself.