K
Q

Vault Injector with externalVaultAddr permission denied

3/27/2020

I'm trying to connect Vault injector from my AWS Kubernetes cluster and login using the injector.externalVaultAddr="http://my-aws-instance-ip:8200"

Installation:

helm install vault \
    --set='injector.externalVaultAddr=http://my-aws-instance-ip:8200' \
    /path/to/my/vault-helm

After following the necessary steps here: https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/ and customising this:

vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat kube_token_from_my_k8s_cluster)" \
   kubernetes_host="$KUBERNETES_HOST:443" \
   kubernetes_ca_cert=@downloaded_ca_crt_from_my_k8s_cluster.crt

Now, after adding the deployment app.yaml and adding the vault annotations to read the secret/helloworld, it doesn't start my pod and shows this error on the container vault-agent-init

NAME                                READY   STATUS     RESTARTS   AGE
app-aaaaaaa-bbbb                    1/1     Running    0          34m
app-aaaaaaa-cccc                    0/2     Init:0/1   0          34m
vault-agent-injector-xxxxxx-zzzzz   1/1     Running    0          35m
$ kubectl logs -f app-aaaaaaa-cccc -c vault-agent-init
...
URL: PUT http://my-aws-instance-ip:8200/v1/auth/kubernetes/login
Code: 403. Errors:

* permission denied" backoff=2.769289902

I have also tried manually doing it in my local:

$ export VAULT_ADDR="http://my-aws-instance-ip:8200"
$ curl --request POST \
       --data "{\"role\": \"myapp\", \"jwt\": \"$(cat kube_token_from_my_k8s_cluster)\"}" \
       $VAULT_ADDR/v1/auth/kubernetes/login

# RESPONSE OUTPUT
{"errors":["permission denied"]}
-- Tami Pangadil
hashicorp-vault
kubernetes

Similar Questions

Error in Version Updation for MySQL Openshift Templates
Can't access internet from within Windows GKE pod
How to run kubectl within a job in a namespace?
Consul add Kubernetes node

0 Answers