You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using the Vault CSI Driver which uses the Kubernetes Auth Method on Kubernetes v1.20. The CSI driver fails with the following message when trying to authenticate:
URL: POST https://vault/v1/auth/kubernetes/login
Code: 400. Errors:
* 1 error occurred:
* error running lookahead function for mfa: could not parse UID from claims
This error comes from here. Vault expects a kubernetes.io/serviceaccount/service-account.uid claim in the JWT, which is only true for legacy JWT claims in Kubernetes.
The Vault CSI driver uses the api/v1/namespaces/<namespace>/serviceaccounts/<serviceaccount>/token endpoint in Kubernetes to manually create a JWT for a service account and then uses that JWT to authenticate to Vault. The JWT created via this endpoint is using an updated version of the claims, so there is a new structure which Vault can't process.
The text was updated successfully, but these errors were encountered:
ljupchokotev
changed the title
Error parsing non-legacy JWT claims for service account token
Error parsing non-legacy JWT claims for service account tokens
Jun 2, 2021
We are using the Vault CSI Driver which uses the Kubernetes Auth Method on Kubernetes v1.20. The CSI driver fails with the following message when trying to authenticate:
This error comes from here. Vault expects a
kubernetes.io/serviceaccount/service-account.uid
claim in the JWT, which is only true for legacy JWT claims in Kubernetes.The Vault CSI driver uses the
api/v1/namespaces/<namespace>/serviceaccounts/<serviceaccount>/token
endpoint in Kubernetes to manually create a JWT for a service account and then uses that JWT to authenticate to Vault. The JWT created via this endpoint is using an updated version of the claims, so there is a new structure which Vault can't process.Example decoded tokens:
<service-account-name>-token
secret):The text was updated successfully, but these errors were encountered: