Skip to content

Vault token as a VaultDynamicSecret fails through vaultAuthRef (AWS IRSA) #1077

New issue
New issue
Open
Open
Vault token as a VaultDynamicSecret fails through vaultAuthRef (AWS IRSA)#1077
Labels
bugSomething isn't working
@plaformsre

Description

@plaformsre
plaformsre
opened on Jun 6, 2025

Describe the bug

  • we get a 'null' in the Kubernetes secret under the _raw data field

To Reproduce
Steps to reproduce the behavior:

  1. Deploy application with the following yaml file with the following VSO custom resources.
  2. Any custom resources used for your secrets.
  3. ...
  4. See error (vault-secrets-operator logs, application logs, etc.)

Application deployment:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: vso-vault-token
  namespace: cert-manager
spec:
  destination:
    create: true
    name: vso-vault-token
    overwrite: true
    transformation: {}
  mount: ""
  path: auth/token/create
  refreshAfter: 360s
  renewalPercent: 67
  requestHTTPMethod: POST
  revoke: true
  vaultAuthRef: vault-irsa-auth-vso-token
status:
  lastGeneration: 2
  lastRenewalTime: 1749210887
  lastRuntimePodUID: REDACTED
  secretLease:
    duration: 0
    id: ""
    renewable: false
    requestID: REDACTED
  staticCredsMetaData:
    lastVaultRotation: 0
    rotationPeriod: 0
    ttl: 0
  vaultClientMeta:
    cacheKey: aws-REDACTED
    id: REDACTED

---

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vault-irsa-auth-vso-token
  namespace: cert-manager
spec:
  vaultConnectionRef: vault-connection-vso-token
  allowedNamespaces:
  - default
  - cert-manager
  aws:
    headerValue: vault.redacted.com
    irsaServiceAccount: vault-issuer-vso-token
    role: irsa-cert-manager
  method: aws
  mount: aws/redacted/redacted/kubernetes-dev/k8s-pod

Other useful info to include: kubectl describe deployment <app> and kubectl describe <vso-custom-resource> <app> output.

Expected behavior

  • get the Vault token retried or at least the JSON payload that we should be able to filter out

Environment

  • Kubernetes version: 1.31
    • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): EKS
    • Other configuration options or runtime services (istio, etc.):
  • vault-secrets-operator version: 1.17.2

Additional context

  • we authenticate using AWS IRSA for EKS clusters
  • we need a fresh new Vault token being returned and rotated regularly through VSO

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions