Vault grant manually k8s jwt token once it is no longer valid

Hi there

I have a vault (hasicorp) configured for storing some secrets, etc in a kubernetes cluster. I have several namespaces in the cluster and they’re working properly with the vault but one of them, after the SA jwt token of this namespace was re-created, it can’t access to the vault anymore in this namespace.

The question is if it’s possible to authorize the new SA jwt token into the vault manually

The thing I did it was

jwt=<the new jwt token>

I try to access to the vault

curl -k -s --request POST --data '{"jwt": "${jwt}", "role": "read-config"}' https://vault.ct:8200/v1/auth/<namespace>/kubernetes/login
{"errors":["service account name not authorized"]}

Then I try to authorize the SA into the vault

write auth/<namespace>/kubernetes/role/read-config bound_service_account_names=sa-name bound_service_account_namespaces=<namespace> policies=<namespace>/read-config

and now I’m getting

{"errors":["permission denied"]}

So, it seems that the auth command works but no as I’m expecting. I think I’m missing something but I can’t found what

Also, I followed

vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat ./token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \

with the same result

Am I missing anything?

Thanks in advance


I think you are on the right track. When you have created the new sa, you also need to create a corresponding role in the kubernetes auth in Vault with :

write auth/<namespace>/kubernetes/role/read-config bound_service_account_names=sa-name bound_service_account_namespaces=<namespace> policies=<namespace>/read-config

The error that you get “{“errors”:[“permission denied”]}” tells you that the token that you are currently logged in Vault with does not have permissions to create a new role in the Kubernetes auth, in other words, you have no rights to write to auth/<namespace>/kubernetes/role/read-config path.

I would suggest using a token that has the rights to write in auth/<namespace>/kubernetes/role/read-config path and create the role for your new sa(service account).


Hey martinhristov90, thanks for the info

Maybe I didn’t explained properly the issue

This is the role that it is currently configured into the vault

# vault read auth/precompiler/kubernetes/role/read-config
Key                                 Value
---                                 -----
bound_service_account_names         [*]
bound_service_account_namespaces    [precompiler]
policies                            [precompiler/read-config]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [precompiler/read-config]
token_ttl                           20m
token_type                          default

The jwt looks like as the following

  "iss": "kubernetes/serviceaccount",
  "": "precompiler",
  "": "permissions-serviceaccount",
  "sub": "system:serviceaccount:precompiler:permissions-serviceaccount"

For my understanding the jwt should get access to the vault using the role: read-config , using the following curl command, right?

curl -k -s --request POST --data '{"jwt": "${jwt}", "role": "read-config"}' https://vault.ct:8200/v1/auth/precompiler/kubernetes/login

but in this case, this is what I’m receiving

{"errors":["permission denied"]}

Thanks in advance