After upgrading to Kubernetes 1.21, the following error is observed in Vault:
* claim "iss" is invalid" backoff=1.xxxxxxx
2021-09-30T00:00:00.000Z [INFO] auth.handler: authenticating
2021-09-30T00:00:00.000Z [ERROR] auth.handler: error authenticating: error="Error making API request.Prerequisites (if applicable)
- The issue starts to occur after upgrading to Kubernetes 1.21.
- You are running on Vault versions prior to Vault 1.9.x
Cause
-
Starting in version 1.21, the Kubernetes
BoundServiceAccountTokenVolumefeature defaults to enabled. This changes the JWT token mounted into containers by default in two ways that are important for Kubernetes auth:- It has an expiry time and is bound to the lifetime of the pod and service account.
- The value of the JWT's
"iss"claim depends on the cluster's configuration.
Solutions:
-
Solution 1 (recommended option): Please disable the issuer validation, by setting the parameter disable_iss_validation to True. This is the recommended option.
-
Solution 2: Alternatively, you may discover the issuer and set the issuer. However, we do strongly recommend to proceed with Solution 1.
- Solution 3: Upgrade to Vault 1.9 in which the disable_iss_validation is set to True by default.
Additional Information
-
Note that, as the token review API is the authority, meaning that the pre-validation the token issuer is not required, so the issuer field is deprecated since Vault 1.9, and will be removed sometime later. More information in regards to the change can be found in this Github issue page.