Cloud Vault with Kubernetes auth service account

[javierguzman]

Hello all,

I have the paid cloud version of Hashi Vault and I'm trying to get my EKS cluster login properly to the vault. I configure my vault backend like this:

resource "vault_kubernetes_auth_backend_config" "connect_sa_with_vault" {
  backend                = vault_auth_backend.kubernetes.path
  kubernetes_host        = var.kubernetes_host
}

And for external-secrets I do:

spec:
      provider:
        vault:
          server: ${var.vault_address}
          path: "secret"
          namespace: "admin/${var.environment}"
          version: "v2"
          auth:
            kubernetes:
              mountPath: ${vault_auth_backend.kubernetes.path}
              role: ${vault_kubernetes_auth_backend_role.sa_vault_role.role_name}
              serviceAccountRef:
                name: ${kubernetes_service_account_v1.vault_client.metadata[0].name}
                namespace: ${kubernetes_namespace_v1.vault_namespace.metadata[0].name}

However, I keep getting 403 permission denied. I have tried to pass the "kubernetes_ca_cert" field as well without success.

On the other hand, if I create a static secret and use it instead of serviceAccountRef, and also use the token_reviewer_jwt and the kubernetes_ca_cert coming from such a token, then it works ok.

The service account has also the cluster role "system:auth-delegator".

Does anyone know what I am missing?

Thank you in advance and regards