Error parsing non-legacy JWT claims for service account tokens

[ljupchokotev]

We are using the Vault CSI Driver which uses the Kubernetes Auth Method on Kubernetes v1.20. The CSI driver fails with the following message when trying to authenticate:

URL: POST https://vault/v1/auth/kubernetes/login
Code: 400. Errors:

* 1 error occurred:
	* error running lookahead function for mfa: could not parse UID from claims

This error comes from here. Vault expects a kubernetes.io/serviceaccount/service-account.uid claim in the JWT, which is only true for legacy JWT claims in Kubernetes.

The Vault CSI driver uses the api/v1/namespaces/<namespace>/serviceaccounts/<serviceaccount>/token endpoint in Kubernetes to manually create a JWT for a service account and then uses that JWT to authenticate to Vault. The JWT created via this endpoint is using an updated version of the claims, so there is a new structure which Vault can't process.

Example decoded tokens:

1. Manually created JWT via the endpoint

{
  "aud": [
    "aud"
  ],
  "exp": 1622641490,
  "iat": 1622637890,
  "iss": "iss",
  "kubernetes.io": {
    "namespace": "namespace",
    "serviceaccount": {
      "name": "vault",
      "uid": "4bbf3254-3461-476d-a1f8-0bc9cc00831b"
    }
  },
  "nbf": 1622637890,
  "sub": "system:serviceaccount:namespace:vault"
}

2. The automatically created token when creating the service account (from the <service-account-name>-token secret):

{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "namespace",
  "kubernetes.io/serviceaccount/secret.name": "vault-token-5qmzb",
  "kubernetes.io/serviceaccount/service-account.name": "vault",
  "kubernetes.io/serviceaccount/service-account.uid": "4bbf3254-3461-476d-a1f8-0bc9cc00831b",
  "sub": "system:serviceaccount:namespace:vault"
}

[ljupchokotev]

This is fixed through our enterprise support.