So … trying out the Vault operator, and running through the demo in GitHub - hashicorp-education/learn-vault-secrets-operator and the article here → The Vault Secrets Operator on Kubernetes | Vault | HashiCorp Developer
Except I am using an external Vault for these examples, and I grant the system:auth-delegator access to the service account described in the VaultAuth for my external vault Kubernetes auth. Like this
- kind: ServiceAccount
But this setup still gave me a 403 … untill I removed the audience from both my role definition in the Kubernetes Auth AND off course from my VaultAuth definition.
Without the audience there it just worked and whoopy… my secrets from vault were created.
Is there a known issue here with handling the audience claim when working against an a Vault external to Kubernetes?