Problem
Having connected an Amazon Elastic Kubernetes Service (EKS) cluster to HCP vault, when trying to log into Vault using the Kubernetes auth method, you may receive a permission denied error message like the below:
[ERROR] auth.handler: error authenticating:
error=
| Error making API request.
|
| URL: PUT $VAULT_ADDR/v1/admin/auth/kubernetes/login
| Code: 403. Errors:
|
| * permission denied
Cause
- This could occur when access to the Kubernetes API server endpoint is configured to public and private with explicit sources.
- This could also occur if the EKS cluster's API endpoint access is restricted by a security group.
Solution
- Consider setting the cluster endpoint access to private only.
- Ensure your security group rules allow access from the vault cluster to the EKS cluster's API endpoint.
Limitations and Known Issues
Hashicorp Virtual Network (HVN) currently does not allow non-private CIDR ranges for HVNs as described here.
As such, public cluster endpoint access is not recommended because you would not be able to whitelist a public CIDR range for access to your EKS API endpoint which leaves your EKS cluster accessible to anyone over the internet.