Injected config tries to use IRSA token instead of the k8s service account token #544

ghost · 2023-11-01T02:44:30Z

Describe the bug
When the Vault Agent sidecar is injected into a pod that is also injected with IRSA, the token_path uses the IRSA token instead of the actual Kubernetes service account token even when configured to use the Kubernetes auth method. This prevents the Vault Agent sidecar from being able to authenticate to Vault.

To Reproduce
Steps to reproduce the behavior:

Deploy pod annotated for vault-agent injection that is configured to use a service account that has an IRSA annotation.
Vault Agent logs will show failed authentication requests
Inspecting the containers VAULT_CONFIG env variable will show that token_path is configured to use /var/run/secrets/eks.amazonaws.com/serviceaccount instead of var/run/secrets/kubernetes.io/serviceaccount.

Expected behavior
Vault agent is able to authenticate to Vault using the Kubernetes auth method without having to specify vault.hashicorp.com/auth-config-token-path to ensure the wrong token is not used.

Environment

Kubernetes version:
- EKS 1.24
vault-k8s version:
- 1.3.1

Additional context
We discovered this problem after configuring the Vault Injector to use an external address.

The need to use vault.hashicorp.com/auth-config-token-path as a workaround is mentioned in #456 (comment), however I believe this should not have to be necessary.

The text was updated successfully, but these errors were encountered:

… variables and flags Also fixes using AWS IRSA token by mistake if both included in the pod's volume hashicorp#544 This maybe a better fix then the proposed hashicorp#545 pull request as this is likely more future-proof to other third party k8s provider launching their own Service Account Token injection, assuming the third party k8s provider will follow the unsaid convention of injecting the token in the <third.party.url>/serviceaccount/token path

…orp#577 Also fixes using AWS IRSA token by mistake if both included in the pod's volume hashicorp#544 This maybe a better fix then the proposed hashicorp#545 pull request as this is likely more future-proof to other third party k8s provider launching their own Service Account Token injection, assuming the third party k8s provider will follow the unsaid convention of injecting the token in the <third.party.url>/serviceaccount/token path

ghost added the bug Something isn't working label Nov 1, 2023

ghost changed the title ~~Injected config tries to use IRSA token instead of the k8s service account token.~~ Injected config tries to use IRSA token instead of the k8s service account token Nov 1, 2023

ghost mentioned this issue Nov 1, 2023

fix: prevent using IRSA token for Kubernetes auth #545

Open

uchanchlani mentioned this issue Jan 17, 2024

Auth config block supports common arguments from env and flags #577

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Injected config tries to use IRSA token instead of the k8s service account token #544

Injected config tries to use IRSA token instead of the k8s service account token #544

ghost commented Nov 1, 2023 •

edited by ghost

Loading

Injected config tries to use IRSA token instead of the k8s service account token #544

Injected config tries to use IRSA token instead of the k8s service account token #544

Comments

ghost commented Nov 1, 2023 • edited by ghost Loading

ghost commented Nov 1, 2023 •

edited by ghost

Loading