VaultAuth and Service account


I have installed vault secret (url : and vault secret operator
I have configured a kubernetes authentification method


I created a namespace called “myapp” (corresponding to “App Namespace” in the diagram)
and the 2 custom resources in “myapp” namespace : VaultAuth and VaultStaticSecret

Below the Vault Auth CR

kind: VaultAuth
  name: static-auth
  namespace: myapp
  method: kubernetes
  mount: kubernetes
    role: monapp
    serviceAccount: myapp-vault-sa 

Everything works well!
My understanding is that vault operator will use the service account "myapp-vault-sa " to authenticate on Vault (via the Kubernetes authentification method), and Vault need the token corresponding to that service account to validate it on the API Server.

My question :
I can’t figure out how Vault can validate the token of my service account “myapp-vault-sa” whereas i did not create a token/secret for the service account "myapp-vault-sa ".
It works but i don’t know how is it possible without creating a token for the service account. (i already checked “kubectl get secret” etc… )
How does it work exactly?

Please help

thank you ! :slight_smile:

Hi @raydenz ,

Are you running Vault in your Kubernetes cluster, is Vault running external to the cluster?

Hello @jonathanfrappier

Vault Secret is running in a kubernetes cluster “A”
Vault operator is running in kubernetes cluster “B”
My app namespace is in the kubernetes cluster “B”


I think this answers your question, though obviously I don’t have insight on your specific environment. Since Vault is running in your Kubernetes cluster, it should have a service account associated with it by default. I think this Kubernetes doc explains it:

For example, here is a basic helm deployment, with no service account added by me:

   affinity: ""
      enabled: true
         enabled: true
         setNodeId: true
         config: |
            cluster_name = "vault-integrated-storage"
            storage "raft" {
               path = "/vault/data/"
            listener "tcp" {
               tls_disable = 1
               address = "[::]:8200"
               cluster_address = "[::]:8201"
            service_registration "kubernetes" {}

If I look at the pod, there is a SA token injected to the filesystem

kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh

/ $ ls /var/run/secrets/ 

/ $ cat /var/run/secrets/