1

I'm trying to read secrets from Vault using CLI using the following commands:

JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
vault write auth/kubernetes/login role="${K8S_ROLE_IDENTIFIER}" jwt="${JWT}"

When calling vault write, I am getting the following:

'Error writing data to auth/kubernetes/login: Error making API request.\n'
'URL: PUT https://...:8200/v1/auth/kubernetes/login\n'
'Code: 400. Errors:\n'
'* missing client token\n'

The token is actually there. I was able to echo JWT but I am still getting missing client token error.

Any ideas?

Thank you!

briba
  • 2,857
  • 2
  • 31
  • 59

3 Answers3

1

In this situation, the thrown error message is not referring to the JSON Web Token. The error message is referring to the lack of Vault client authentication. This authentication, regardless of method, eventually involves generating a bound token for authentication.

To remedy this error, you need to authenticate your Vault client with a token or other method. This authentication also requires an attached policy which would authorize enabling the Kubernetes authentication engine, or else the next error will be authorization related.

Matthew Schuchard
  • 25,172
  • 3
  • 47
  • 67
  • I was able to do this reading client_token from vault write and exporting to VAULT_TOKEN :) – briba Jan 20 '22 at 08:21
0

Here's the solution:

VAULT_TOKEN=$(vault write -format="json" \
  auth/"${VAULT_PATH}"/login \
  role="${K8S_ROLE_IDENTIFIER}" \
  jwt="${JWT}" \
  | jq -r '.auth["client_token"]')
briba
  • 2,857
  • 2
  • 31
  • 59
0

Optimizing solutions of briba, by using -field=token option instead of depending on another command like jq :

VAULT_TOKEN=$(vault write -format="json" \
  auth/"${VAULT_PATH}"/login \
  role="${K8S_ROLE_IDENTIFIER}" \
  jwt="${JWT}" -field=token)
Abdennour TOUMI
  • 87,526
  • 38
  • 249
  • 254