Vault Secrets Operator Permission Denied with audience set

I’m using the Vault Secrets Operator to get a Vault Static Secret from a kv2 secrets engine using short lived service tokens and TokenReview API in a clean k0s cluster with a clean external vault installation using various tutorials including the official one. I have been getting this error in all cases that I was unable to work around until now:

auth.kubernetes.auth_kubernetes_b1a0b099: login unauthorized: err=“lookup failed: service account unauthorized; this could mean it has been deleted or recreated with a new token”

I was finally able to get it to work by removing the audience from the VaultAuth object in kubernetes and of course the corresponding one in vault kubernetes auth configuration. If I put an invalid audience that doesn’t match the one in vault, then I get a different error that references the audience as the cause. But if I put the correct one, I get the above error.

I’m not an expert, but it seems like it may not be a vault error in accessing the secret as when I manually make the calls to vault using the vault command line or curl to the API everything works with the tokens created by kubernetes. But perhaps the TokenReview API call from vault is not including the audience claim? I’m not too familiar with that process to troubleshoot much further.

My question, is there a workaround or configuration that would allow use of audiences in the short lived service token flow, or is this not supported with an external vault installation?

This is a simplified version values I’m using in the helm configuration for VSO to create a default connection and auth:

defaultVaultConnection:
  enabled: true
  address: "https://mydomain:8200"
  skipTLSVerify: false
defaultAuthMethod:
  enabled: true
  allowedNamespaces: ["*"]
  method: kubernetes
  mount: kubernetes-auth
  kubernetes:
    role: vso-operator
    serviceAccount: vso-account
    tokenAudiences: ["vault"]

And this is a simplified version of the configuration I’m applying to kubernetes to set up the service account, cluster role binding and vault static secret in a various namespaces reusing the default connection and auth, though I also tried in the vault-secrets-operator-system namespace.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: test
  name: vso-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vso-account
  namespace: test
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  namespace: test
  name: vso-auth-secret
spec:
  mount: kv-k8s
  type: kv-v2
  path: test
  refreshAfter: 60s
  namespace: test
  destination:
    create: true
    name: test-password

Not sure what else is relevant, but the kubernetes auth method in vault is configured with the “Disable use of local CA and service account JWT” enabled and kubernetes is using a CA that is trusted by the vault server. The vault server is using a let’s encrypt certificate for TLS generated by the router. And the vault-operator role in vault is set up with * as the bound service account and account namespace to rule those out as issues.

Do you have the audience also set in the Vault role your Kubernetes VaultStaticSecret CR is referencing? Similar to the step labeled 5 (real step 7 - we’ll get that fixed)

Correct. I believe that’s the only real place it’s set on the vault side of things.