GKE WLI send wrong ID for JWT signing

[halradaideh]

Preflight Checklist

• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.
• [X] I agree to follow the Code of Conduct.

Vault Secrets Webhook Version

1.21.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.29.6

Kubernetes Distribution/Provisioner

GKE

Expected Behavior

The authentication is to happen via sending the GKE WLI KSA's GSA to sign a JWT request

Actual Behavior

it is sending the WLF pool for the GKE

Steps To Reproduce

1. install webhook via the helm chart
2. configure it to use Vault and gcp-iam auth method

   env:
   VAULT_SKIP_VERIFY: "true"
   VAULT_ADDR: "https://X:8200"
   VAULT_ROLE: "read_all_secrets"
   VAULT_AUTH_METHOD: gcp-iam
   VAULT_PATH: gcp

   3. deploy an app that requires a secret

Configuration

No response

Logs

time=X level=ERROR msg="failed to request new Vault token" app=vault-env err="unable to sign JWT for authenticating to GCP: unable to sign JWT: rpc error: code = InvalidArgument desc = Invalid form of account ID PROJECT_ID.svc.id.goog. Should be [Gaia ID |Email |Unique ID |] of the account"

Additional Information

I was able to sign in externally using a SA key directly, so. vault and the GCP auth method works (note: the SA KEY is the same GSA used for WLI in GKE's KSA)

a note, inside the pod I tried login with debug mode via vault CLI, I got this error, which is weird

/tmp # vault login -method=gcp role="read_all_secrets" jwt_exp="15m"
Error authenticating: Error making API request.

URL: PUT https://X:8200/v1/auth/gcp/login
Code: 400. Errors:

* role requires that service account JWTs expire within 900 seconds

[halradaideh]

@ramizpolic any idea?

[halradaideh]

issue still exists