Describe the bug
When the Vault Agent sidecar is injected into a pod that is also injected with IRSA, the token_path uses the IRSA token instead of the actual Kubernetes service account token even when configured to use the Kubernetes auth method. This prevents the Vault Agent sidecar from being able to authenticate to Vault.
To Reproduce
Steps to reproduce the behavior:
Deploy pod annotated for vault-agent injection that is configured to use a service account that has an IRSA annotation.
Vault Agent logs will show failed authentication requests
Inspecting the containers VAULT_CONFIG env variable will show that token_path is configured to use /var/run/secrets/eks.amazonaws.com/serviceaccount instead of var/run/secrets/kubernetes.io/serviceaccount.
Expected behavior
Vault agent is able to authenticate to Vault using the Kubernetes auth method without having to specify vault.hashicorp.com/auth-config-token-path to ensure the wrong token is not used.
Environment
Kubernetes version:
EKS 1.24
vault-k8s version:
1.3.1
Additional context
We discovered this problem after configuring the Vault Injector to use an external address.
Describe the bug When the Vault Agent sidecar is injected into a pod that is also injected with IRSA, the token_path uses the IRSA token instead of the actual Kubernetes service account token even when configured to use the Kubernetes auth method. This prevents the Vault Agent sidecar from being able to authenticate to Vault.
To Reproduce Steps to reproduce the behavior:
token_path
is configured to use/var/run/secrets/eks.amazonaws.com/serviceaccount
instead ofvar/run/secrets/kubernetes.io/serviceaccount
.Expected behavior Vault agent is able to authenticate to Vault using the Kubernetes auth method without having to specify
vault.hashicorp.com/auth-config-token-path
to ensure the wrong token is not used.Environment
Additional context We discovered this problem after configuring the Vault Injector to use an external address.
The need to use
vault.hashicorp.com/auth-config-token-path
as a workaround is mentioned in https://github.com/hashicorp/vault-k8s/issues/456#issuecomment-1503457172, however I believe this should not have to be necessary.