Vault JWT auth with public signing keys in EKS and AKS

Introduction 

This method can be useful if Kubernetes' API is not reachable from Vault or if you would like a single JWT auth mount to service multiple Kubernetes clusters by chaining their public signing keys.

Prerequisites

Retrieve cluster's JWKS URI (OIDC URL)

• EKS
  • Retrieve the OIDC URL for your Amazon EKS cluster using the AWS CLI.

  • aws eks describe-cluster --name my-cluster --query 'cluster.identity.oidc.issuer'

• AKS
  • To get the OIDC Issuer URL, run the az aks show command.

  • az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv

Configuration steps

1. Fetch the service account signing public key from your cluster's JWKS URI.

• EKS

  • curl https://oidc.eks.us-east-1.amazonaws.com/id/8EBDXXXX00BAE/keys

• AKS

  • curl https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/openid/v1/jwks

2. Convert the keys from JWK format to PEM. You can use a CLI tool or an online converter such as this one.

3. Enable JWT auth method

$ vault auth enable jwt

4. Configure the JWT auth mount with those public keys from step 2.

vault write auth/jwt/config \
jwt_validation_pubkeys="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9...
-----END PUBLIC KEY-----","-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9...
-----END PUBLIC KEY-----"

5. Create a role for JWT auth that the default service account from the default namespace can use.

vault write auth/jwt/role/my-role \
role_type="jwt" \
bound_audiences="<jwks/oidc url>"
user_claim="sub" \
bound_subject="system:serviceaccount:default:default" \
policies="default" \
ttl="1h"

6. Pods or other clients with access to a service account JWT can then log in.

vault write auth/jwt/login \
role=my-role \
jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token
# OR equivalent to:
curl \
--request POST \
--header "X-Vault-Request: true" \
--header "X-Vault-Namespace: admin" \
--data '{"jwt":"<JWT-TOKEN-HERE>","role":"my-role"}' \
"${VAULT_ADDR}/v1/auth/jwt/login"

Additional Notes:

• Amazon EKS and Azure Kubernetes Service (AKS) automatically rotate the OIDC signing keys.
• Should the OIDC Signing Keys used by Kubernetes be rotated, the above process should be repeated with the new keys.
• Invalid jwt_validation_pubkeys will result in an error similar to:

  • error verifying token signature: no known key successfully validated the token signature

Related documentation references:

• JWT authentication 
• JWT/OIDC Auth Method (API) 
• Fetch signing keys 
• Check the OIDC keys