For cases where we want to make use of short-lived k8s service account tokens, it would make sense to pass also the token_reviewer_jwt as parameter to the login endpoint. So that we pass two tokens:
jwt = k8s service account token jwt for authenticating with vault (including an appropriate audience for vault)
token_reviewer_jwt = k8s service account token jwt for authenticating with kubernetes tokenreview api (including an appropriate audience for kubernetes)
For cases where we want to make use of short-lived k8s service account tokens, it would make sense to pass also the
token_reviewer_jwt
as parameter to the login endpoint. So that we pass two tokens:jwt
= k8s service account token jwt for authenticating with vault (including an appropriate audience for vault)token_reviewer_jwt
= k8s service account token jwt for authenticating with kubernetes tokenreview api (including an appropriate audience for kubernetes)see code for reference: https://github.com/hashicorp/vault-plugin-auth-kubernetes/blob/6f9c733333c1d5f86166db8db0016eda7bfb21bf/path_login.go#L92
https://github.com/hashicorp/vault-plugin-auth-kubernetes/blob/6f9c733333c1d5f86166db8db0016eda7bfb21bf/path_login.go#L148
https://github.com/hashicorp/vault-plugin-auth-kubernetes/blob/6f9c733333c1d5f86166db8db0016eda7bfb21bf/token_review.go#L69-L75
As an example this issue in cert-manager for reference: https://github.com/cert-manager/cert-manager/issues/6150#issuecomment-1734441601
Related cert-manager code