Comments (12)
@calvn can you tell me how can achieve this from within terraform?
i have tried this
resource "vault_kubernetes_auth_backend_config" "kubernetes_auth_config" {
backend=vault_auth_backend.kubernetes.path
kubernetes_host="https://$${KUBERNETES_PORT_443_TCP_ADDR}:443"
kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
token_reviewer_jwt="\"$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\""
}
but it gives the very same error not a compact JWS
from vault-plugin-auth-kubernetes.
@nitishm You're using single quotes in your data payload, which won't interpolate the cat
command execution as Brian mentioned above. You'll need to use double quotes and escape the JSON strings.
Give this a try:
curl --request POST --data "{\"jwt\": \"$(cat \/var\/run\/secrets\/kubernetes.io\/service\r\naccount\/token\", \"role\": \"example\"}" $VAULT_ADDR/v1/auth/kubernetes/login | jq
A more concrete example of the behavior:
› echo '"$(pwd)"'
"$(pwd)"
vs
› echo "\"$(pwd)\""
"/tmp"
from vault-plugin-auth-kubernetes.
Also reading the config does not print the reviewer token.
vault read -format=json auth/kube-example/config
{
"request_id": "c33f0370-e735-41bd-a4df-1bfcecc039fc",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----\n",
"kubernetes_host": "https://99.99.99.99",
"pem_keys": []
},
"warnings": null
}
Also on the pod:
cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64 -d
{"alg":"RS256","typ":"JWT"}{"iss":"kubernetes/serviceaccount","kubernetes.io/serviceaccount/namespace":"myapplication","kubernetes.io/serviceaccount/secret.name":"myapplication-token-22zbk","kubernetes.io/serviceaccount/service-account.name":"myapplication","kubernetes.io/serviceaccount/service-account.uid":"6f431400-4342-11e8-9c86-41010a8e01a5","sub":"system:serviceaccount:myapplication:myapplication"}!Ɩvk�}hSG����:�;��k����^)�)�b�ݍ!Μ�%d�_�&�;�0��S�ǔ���u�b�'l&C^���ʌ��r�U��!�42�i��>0�y�Ê6{���"�6t����~/m�K����0�qPZ����f�
��Z�?q��7���Xo
��օ�L8�\Z�ne�0��闿lkϴ*�
����#Y�6Tu4f��p��ɢ��dX'x?�&�-L�ߪ"��7m)base64: truncated base64 input
from vault-plugin-auth-kubernetes.
Single quotes won't interpolate the cat command, instead try
"{\"jwt\": \"$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\", \"role\": \"myapplication\"}"
from vault-plugin-auth-kubernetes.
Hi did you found a solution to this problem?
from vault-plugin-auth-kubernetes.
If I'm pasting the jwt token in the curl command then it is working, but when I'm substituting the value of jwt then its giving me same error.
Please let me know how you solved it.
Thanks
from vault-plugin-auth-kubernetes.
@briankassouf This problem still persists. The solution recommended doesn't seem to resolve the issue.
I have not been able to get past https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s#step-3-verify-the-kubernetes-auth-method-configuration
~ # curl --request POST --data '{"jwt": "$(cat /var/run/secrets/kubernetes.io/service
account/token", "role": "example"}' $VAULT_ADDR/v1/auth/kubernetes/login | jq
{
"errors": [
"not a compact JWS"
]
}
I have tried this with the vault-auth serviceaccount (as per the example), ensuring that the kubernetes/auth is configured with the same JWT token, and yet it fails.
Can I get some assistance with this ?
from vault-plugin-auth-kubernetes.
Thanks @calvn . It seems to definitely be a problem with the json string format and the cat interpolations. I moved the body into a payload.json
file and changed the request to ,
curl --request POST --data @payload.json $VAULT_ADDR/v1/auth/kubernetes/login | jq
, and that worked.
from vault-plugin-auth-kubernetes.
Thank you @calvn for the hint. It saves my day.
However, you just need to surrounnd $(cat )
by single quotes again , instead of escaping the double quotes everywhere.
So "$(cat ...)"
must be "'$(cat ...)'"
curl --request POST \
--data '{"jwt": "'$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)'", "role": "myapplication"}' \
https://vault.example.com/v1/auth/kube-example/login
from vault-plugin-auth-kubernetes.
@calvn can you tell me how can achieve this from within terraform?
i have tried this
resource "vault_kubernetes_auth_backend_config" "kubernetes_auth_config" { backend=vault_auth_backend.kubernetes.path kubernetes_host="https://$${KUBERNETES_PORT_443_TCP_ADDR}:443" kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" token_reviewer_jwt="\"$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"" }
but it gives the very same error
not a compact JWS
Do you use decoded value? It works for me once I decoded value via base64 -d
from vault-plugin-auth-kubernetes.
@ListentoNews did you figure this out? I am having the exact same issue
from vault-plugin-auth-kubernetes.
Maybe this will help hashicorp/terraform-provider-vault#793
from vault-plugin-auth-kubernetes.
Related Issues (20)
- Missing Client Token in Authenticating in vault-agent-init Container HOT 2
- [Issue / Question] Is the role missing metadata alias entity ? HOT 4
- Vault should support reloading service account token from disk HOT 7
- Make issuer validation work with Kubernetes 1.21+ by default HOT 6
- Rename disable_iss_validation HOT 1
- Re-configuring role fails after upgrading existing deployment to Vault 1.9.x HOT 4
- Authentication backend defined token_type is not override by role token_type HOT 1
- Allow specifying a namespace selector for the allowed namespace from which to authenticate
- BREAKING CHANGE: proposal: make `kubernetes_host` array to provide fallback mechanism and retry resiliency
- JWT signing algorithm ES384 became unsupported since version 0.13.0 HOT 1
- [docs] allow patching of roles HOT 14
- Unable to authenticate to external k8s cluster HOT 3
- Kubernetes API errors are not logged as errors HOT 5
- TLS errors after failed plugin initialization HOT 3
- CA cert on local disk is not reloaded if changed
- The audience claim is not checked, the parameter `audience` in the Kubernetes auth role is ineffective HOT 4
- Context Canceled on all authentication attempts for 10 minutes after an API node has shutdown HOT 14
- Unable to make Kubernetes requests: no such host HOT 1
- GitHub Actions - deprecated warnings found - action required!
- Support for path nesting like kv2 engine when nesting multiple kubernetes clusters configs in same path
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-auth-kubernetes.