I’m trying to use CSI Driver for vault to use vault secrets in GKE. I have followed the documentation here with an external vault. But Im getting the below error.
* claim "iss" is invalid
When disable the issuer validation it works perfectly. So I tried following values for the jwt issuer while configuring the kubernetes authentication, nothing worked.
“kubernetes/serviceaccount” (This is the value if I decode the token)
That gives you some instructions to help figure out exactly what issuer you need to set. One thing worth pointing out (also covered in the link), is the “kubernetes/serviceaccount” issuer suggests the token you’re looking at is probably the default long-lived token associated with the service account, but the Vault CSI Provider generates new short-lived tokens which usually have issuers in the form of a URL.
Please do let me know if the updated documentation helps, and I can help debug further if not.