Introduction
This article uses Amazon Elastic Kubernetes Service (EKS) as an example, but the limitations discussed are not limited to EKS.
Problem
Having connected an Amazon Elastic Kubernetes Service (EKS) cluster to HCP vault, when trying to log into Vault using the Kubernetes auth method, you may receive a permission denied error message like the below:
[ERROR] auth.handler: error authenticating:
error=
| Error making API request.
|
| URL: PUT $VAULT_ADDR/v1/admin/auth/kubernetes/login
| Code: 403. Errors:
|
| * permission denied
Cause
- This could occur when access to the Kubernetes API server endpoint is configured to public and private with explicit sources.
- This could also occur if the EKS cluster's API endpoint access is restricted by a security group.
Solution
- Consider setting the cluster endpoint access to private only.
- Ensure your security group rules allow access from the vault cluster to the EKS cluster's API endpoint.
Limitations and Known Issues
Hashicorp Virtual Network (HVN) currently does not allow non-private CIDR ranges for HVNs as described here.
As such, public cluster endpoint access is not recommended because you would not be able to whitelist a public CIDR range for access to your EKS API endpoint which leaves your EKS cluster accessible to anyone over the internet.