Vault Secrets Operator Permission Denied

jaime_magiera · November 26, 2024, 10:22pm

Hello,

This is probably something simple I’m missing. I’m attempting to configure jwt authentication between VSO and an external vault service.
VaultAuth:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vaultauth-taco
  namespace: vault-dev
spec:
  jwt:
    audiences:
      - 'https://kubernetes.default.svc'
    role: vault-secrets-operator
    secretRef: vault-api-token-znksj
    tokenExpirationSeconds: 600
  kubernetes:
    audiences:
      - 'https://kubernetes.default.svc'
    role: vault-secrets-operator
    serviceAccount: vault-api
    tokenExpirationSeconds: 600
  method: jwt
  mount: kubernetes
  namespace: kubernetes
  vaultConnectionRef: vault-dev/default

VaultStaticSecret:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: mysuperawesomesecret
  namespace: vault-dev
spec:
  destination:
    create: true
    name: mysuperawesomesecret
    overwrite: false
    transformation: {}
  hmacSecretData: true
  mount: kv/
  path: taco
  refreshAfter: 60s
  type: kv-v2
  vaultAuthRef: vaultauth-taco

Error:

Failed to get Vault auth login: Error making API request. Namespace: kubernetes URL: PUT https://vault-dev.domain.com/v1/auth/kubernetes/login Code: 403. Errors: * permission denied

I’ve verified that the SA token works by calling the vault service directly using curl. This would imply that the issue is my VSO configuration.

➜  curl \
	--request POST \
	--data '{"jwt": "'"${token}"'", "role": "vault-secrets-operator"}' \
	https://vault-dev.domain.com/v1/auth/kubernetes/login     
     
{"request_id":"b2ba4ebc-e088-8c37-c292-aea2e1d64afe","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"redacted","accessor":"redacted","policies":["default","vault-secrets-operator"],"token_policies":["default","vault-secrets-operator"],"metadata":{"role":"vault-secrets-operator","service_account_name":"vault-api","service_account_namespace":"vault-dev","service_account_secret_name":"","service_account_uid":"redacted"},"lease_duration":30,"renewable":true,"entity_id":"redacted","token_type":"service","orphan":true,"mfa_requirement":null,"num_uses":0},"mount_type":""}

Vault v1.17.5
VSO v0.9.0

I’ve browsed similar topics here, but can’t see the error of my ways. Any help appreciated. Many thanks.

jonathanfrappier · December 2, 2024, 4:23pm

Hello,

What is defined in your VaultConnection vault-dev/default? Is everything within the same Kubernetes namespace - connection, auth, and k8s service account? In the past Ive created the SA in the default namespace by mistake, and unless you explicity granted it access to vault-dev I don’t think it would work.

Topic		Replies	Views
Vault Secrets Operator with external Vault cluster: 403 Permission Denied Vault k8s	9	2651	March 18, 2024
Problem with kubernetes auth method Vault	2	225	May 21, 2024
Vault Secrets Operator Permission Denied with audience set Vault k8s , vault	2	49	October 7, 2024
Vault Secrets Operator. Permissions Denied on Vault login HCP Vault vault	10	1771	November 14, 2023
Vault-secrets-operator permission denied Vault	3	3462	August 9, 2023

Vault Secrets Operator Permission Denied

Related topics