Vault Role Policy for K8s pods

Hello All!

I have a setup with Vault and Kubernetes. K8s pods have access to Vault via Vault Role (Kubernetes auth) with vault agent/sidecars setup.

I observed that:

  1. adding a new policy to a Vault role when the pod is in running state, the new permissions are not reflected until the pod is restarted.
  2. instead of adding a new policy and editing a policy that was attached to Vault role before pod is created, it works when pods is in running state.

Exactly, it happens when I give permission to db role under Vault database engine:

2023-09-29T09:10:05.323Z [WARN] (view)<db_role>): Error making API request. Code: 403. Error: permission denied                                                                                                                             

Is there any limitation? Is there any solution for first scenario?

Thank you!