Hello
I have installed vault secret (url : https://mysecret.local.com/) and vault secret operator
I have configured a kubernetes authentification method
I created a namespace called “myapp” (corresponding to “App Namespace” in the diagram)
and the 2 custom resources in “myapp” namespace : VaultAuth and VaultStaticSecret
Below the Vault Auth CR
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: myapp
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: monapp
serviceAccount: myapp-vault-sa
audiences:
- https://mysecret.local.com/
Everything works well!
My understanding is that vault operator will use the service account "myapp-vault-sa " to authenticate on Vault (via the Kubernetes authentification method), and Vault need the token corresponding to that service account to validate it on the API Server.
My question :
I can’t figure out how Vault can validate the token of my service account “myapp-vault-sa” whereas i did not create a token/secret for the service account "myapp-vault-sa ".
It works but i don’t know how is it possible without creating a token for the service account. (i already checked “kubectl get secret” etc… )
How does it work exactly?
Please help
thank you ! 
Hi @raydenz ,
Are you running Vault in your Kubernetes cluster, is Vault running external to the cluster?
Hello @jonathanfrappier
Vault Secret is running in a kubernetes cluster “A”
Vault operator is running in kubernetes cluster “B”
My app namespace is in the kubernetes cluster “B”
regards,
I think this answers your question, though obviously I don’t have insight on your specific environment. Since Vault is running in your Kubernetes cluster, it should have a service account associated with it by default. I think this Kubernetes doc explains it:
For example, here is a basic helm deployment, with no service account added by me:
server:
affinity: ""
ha:
enabled: true
raft:
enabled: true
setNodeId: true
config: |
cluster_name = "vault-integrated-storage"
storage "raft" {
path = "/vault/data/"
}
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
service_registration "kubernetes" {}
If I look at the pod, there is a SA token injected to the filesystem
kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
/ $ ls /var/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/token
/ $ cat /var/run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImVRNllKMFg3RFJpaExYNGI0TmFyZEZ3cWo2RHVteFFmSXN1U3Z1STZpUUUifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzQ3NDEzMjExLCJpYXQiOjE3MTU4NzcyMTEsImlzcyI
...snip...