I have a setup with Vault and Kubernetes. K8s pods have access to Vault via Vault Role (Kubernetes auth) with vault agent/sidecars setup.
I observed that:
- adding a new policy to a Vault role when the pod is in running state, the new permissions are not reflected until the pod is restarted.
- instead of adding a new policy and editing a policy that was attached to Vault role before pod is created, it works when pods is in running state.
Exactly, it happens when I give permission to db role under Vault database engine:
2023-09-29T09:10:05.323Z [WARN] (view) vault.read(database/creds/<db_role>): Error making API request. Code: 403. Error: permission denied
Is there any limitation? Is there any solution for first scenario?