What does audience do and can I remove it?

Hello all,

I’m wondering that in vault role definition, it has a field called “audience”. What does it do? Is it safe to leave this field empty?

Right now we’re using vault-secrets-operator, configuring the role audience as “vault” and in vault-auth object, we have to find the kubernetes issuer, something like “https://kubernetes.default.svc.cluster.local” or “https://container.googleapis.com/v1/projects/project/locations/us-east4/clusters/gcp-cluster”. However for some clusters it’s hard to find such value from /var/run/secrets/kubernetes.io/serviceaccount/token file, of which the issuer will be “kubernetes/serviceaccount” which is not what we desire.

So we’re thinking about removing both audience part in role def and vault-auth, but we don’t know any side-effect of this behavior. And the documents regarding this field are not that detailed. Could you please answer the above questions? Thanks!