Why does Vault require Secret object instead of using TokenRequest API?

I just started playing with Vault and noticed that Kubernetes auth works without creating a ServiceAccount secret even though Hashicorp guides insist on creating a ServiceAccount sercret up-front. Why is that?

I ran into this article but I’m afraid I don’t get the reasoning behind such move and implications it has. Could anyone explain briefly, please?

I’m trying to figure what’s the best way to use Vault and this area confuses me a bit.


I’m guessing it’s simply that no one has rewritten the guides and Helm charts since this change in Kubernetes.

This is a very recent change, from my limited experience, when you get kubernetes working you rarely upgrade it to anywhere near the latest version so my guess is that it’s just not caught up.

In fact, this document helped a lot to understand available options.

Those guides I read are somewhat outdated and using local token as reviewer JWT is, from what I understood, easier and more modern approach while using long-lived token approach that requires creating secret objects for serviceaccouns is older approach that still might be applicable to a lot of cases but not mine.