Authentication backend defined token_type is not override by role token_type

[jynolen]

Hello,

We got an issue with overide the "authentication token_type" defined in the tune section per role. What we wan't to acheive is that the default token type to be "batch" but for specific role to be service But vault is not taking the token_type option in the role in consideration here some debug we done:

vault version 1.8.7

vault read /auth/kubernetes/role/test-role

{
    "request_id": "8b56194d-7b50-e117-3c0c-fd60b2526d2a",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "bound_service_account_names": [<redacted>],
        "bound_service_account_namespaces": [<redacted>],
        "token_bound_cidrs": [],
        "token_explicit_max_ttl": 0,
        "token_max_ttl": 0,
        "token_no_default_policy": false,
        "token_num_uses": 0,
        "token_period": 0,
        "token_policies": [<redacted>],
        "token_ttl": 300,
        "token_type": "service"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

vault read /sys/auth/kubernetes/tune

{
    "request_id": "8c67ade6-75c0-7428-a813-2361b990eb74",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "allowed_response_headers": [""],
        "audit_non_hmac_request_keys": [""],
        "audit_non_hmac_response_keys": [""],
        "default_lease_ttl": 2764800,
        "description": "",
        "force_no_cache": false,
        "max_lease_ttl": 2764800,
        "passthrough_request_headers": [""],
        "token_type": "batch"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

vault write /auth/kubernetes/login jwt=<redacted> role=test-role

{
    "request_id": "307b1a4d-abb8-bc00-75fa-002ed17d5dec",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": null,
    "wrap_info": null,
    "warnings": null,
    "auth": {
        "client_token": "b.xxxxxxx<redacted>",
        "lease_duration": 300,
        "renewable": false,
        "entity_id": "79c59827-a33e-a582-9c93-a085d62865b8",
        "token_type": "batch",
        "orphan": true
    }
}

After some changes

vault read /auth/kubernetes/role/test-role

{
    "request_id": "8b56194d-7b50-e117-3c0c-fd60b2526d2a",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "bound_service_account_names": [<redacted>],
        "bound_service_account_namespaces": [<redacted>],
        "token_bound_cidrs": [],
        "token_explicit_max_ttl": 0,
        "token_max_ttl": 0,
        "token_no_default_policy": false,
        "token_num_uses": 0,
        "token_period": 0,
        "token_policies": [<redacted>],
        "token_ttl": 300,
        "token_type": "batch"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

vault read /sys/auth/kubernetes/tune

{
    "request_id": "8c67ade6-75c0-7428-a813-2361b990eb74",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "allowed_response_headers": [""],
        "audit_non_hmac_request_keys": [""],
        "audit_non_hmac_response_keys": [""],
        "default_lease_ttl": 2764800,
        "description": "",
        "force_no_cache": false,
        "max_lease_ttl": 2764800,
        "passthrough_request_headers": [""],
        "token_type": "service"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

vault write /auth/kubernetes/login jwt=<redacted> role=test-role

{
    "request_id": "307b1a4d-abb8-bc00-75fa-002ed17d5dec",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": null,
    "wrap_info": null,
    "warnings": null,
    "auth": {
        "client_token": "s.xxxxxxx<redacted>",
        "lease_duration": 300,
        "renewable": false,
        "entity_id": "79c59827-a33e-a582-9c93-a085d62865b8",
        "token_type": "service",
        "orphan": true
    }
}

[jynolen]

Ok found my mistake token_type for tune should be default-batch instead of batch Documentation isn't very obvious about this sadly :/