Hi there
I have a vault (hasicorp) configured for storing some secrets, etc in a kubernetes cluster. I have several namespaces in the cluster and they’re working properly with the vault but one of them, after the SA jwt token of this namespace was re-created, it can’t access to the vault anymore in this namespace.
The question is if it’s possible to authorize the new SA jwt token into the vault manually
The thing I did it was
jwt=<the new jwt token>
I try to access to the vault
curl -k -s --request POST --data '{"jwt": "${jwt}", "role": "read-config"}' https://vault.ct:8200/v1/auth/<namespace>/kubernetes/login
{"errors":["service account name not authorized"]}
Then I try to authorize the SA into the vault
write auth/<namespace>/kubernetes/role/read-config bound_service_account_names=sa-name bound_service_account_namespaces=<namespace> policies=<namespace>/read-config
and now I’m getting
{"errors":["permission denied"]}
So, it seems that the auth command works but no as I’m expecting. I think I’m missing something but I can’t found what
Also, I followed https://www.vaultproject.io/docs/platform/k8s/helm/examples/kubernetes-auth
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat ./token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@./ca.crt
with the same result
Am I missing anything?
Thanks in advance
Hello,
I think you are on the right track. When you have created the new sa, you also need to create a corresponding role in the kubernetes auth in Vault with :
write auth/<namespace>/kubernetes/role/read-config bound_service_account_names=sa-name bound_service_account_namespaces=<namespace> policies=<namespace>/read-config
The error that you get “{“errors”:[“permission denied”]}” tells you that the token that you are currently logged in Vault with does not have permissions to create a new role in the Kubernetes auth, in other words, you have no rights to write to auth/<namespace>/kubernetes/role/read-config path.
I would suggest using a token that has the rights to write in auth/<namespace>/kubernetes/role/read-config path and create the role for your new sa(service account).
Martin
Hey martinhristov90, thanks for the info
Maybe I didn’t explained properly the issue
This is the role that it is currently configured into the vault
# vault read auth/precompiler/kubernetes/role/read-config
Key Value
--- -----
bound_service_account_names [*]
bound_service_account_namespaces [precompiler]
policies [precompiler/read-config]
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [precompiler/read-config]
token_ttl 20m
token_type default
The jwt looks like as the following
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "precompiler",
"kubernetes.io/serviceaccount/service-account.name": "permissions-serviceaccount",
"kubernetes.io/serviceaccount/service-account.uid": "XXXX-XXXXX-XXXXX-XXXXX",
"sub": "system:serviceaccount:precompiler:permissions-serviceaccount"
}
For my understanding the jwt should get access to the vault using the role: read-config , using the following curl command, right?
curl -k -s --request POST --data '{"jwt": "${jwt}", "role": "read-config"}' https://vault.ct:8200/v1/auth/precompiler/kubernetes/login
but in this case, this is what I’m receiving
{"errors":["permission denied"]}
Thanks in advance
Nacho