DEVHIDE
Login Or Sign up

Kubernetes external secret "cannot read secret data from Vault: Error making API request" 403

388 Views Asked by At

I'm trying to integrate my AKS cluster with my Hashicorp vault by following the countless examples online which all seem very straight forward. However, I can't seem to get around the 403 error on the external secret. No idea what I'm missing here.

Here are the details:

--Create token secret:

kubectl create secret generic vault-token --from-literal=xxx

--Apply secret store:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault-public-vault-replaced.replaced.z1.hashicorp.cloud:8200"
      path: "secret"
      version: "v1"
      auth:
        tokenSecretRef:
          name: "vault-token"
          key: "token"

--Secret store is valid:

NAME            AGE   STATUS   CAPABILITIES   READY
vault-backend   72s   Valid    ReadWrite      True

--Manually create secret:

vault kv put -mount=secret secret key=secret-value                                                                             
=== Secret Path ===
secret/data/secret

======= Metadata =======
Key                Value
---                -----
created_time       2023-12-06T03:16:22.778004757Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

--External secret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-external-secret
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: test-external-secret
    creationPolicy: Owner
  data:
    - secretKey: test-external-secret-key
      remoteRef:
        key: secret/secret
        property: key

--External secret status:

Name:         test-external-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  external-secrets.io/v1beta1
Kind:         ExternalSecret
Metadata:
  Creation Timestamp:  2023-12-06T03:19:43Z
  Generation:          1
  Managed Fields:
    API Version:  external-secrets.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:data:
        f:refreshInterval:
        f:secretStoreRef:
          .:
          f:kind:
          f:name:
        f:target:
          .:
          f:creationPolicy:
          f:deletionPolicy:
          f:name:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-12-06T03:19:43Z
    API Version:  external-secrets.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
    Manager:         external-secrets
    Operation:       Update
    Subresource:     status
    Time:            2023-12-06T03:19:44Z
  Resource Version:  2182430
  UID:               e68cbb3f-05de-4eaf-bcf5-7cdebac52b3f
Spec:
  Data:
    Remote Ref:
      Conversion Strategy:  Default
      Decoding Strategy:    None
      Key:                  secret/secret
      Property:             key
    Secret Key:             test-external-secret-key
  Refresh Interval:         15s
  Secret Store Ref:
    Kind:  ClusterSecretStore
    Name:  vault-backend
  Target:
    Creation Policy:  Owner
    Deletion Policy:  Retain
    Name:             test-external-secret
Status:
  Conditions:
    Last Transition Time:  2023-12-06T03:19:44Z
    Message:               could not get secret data from provider
    Reason:                SecretSyncedError
    Status:                False
    Type:                  Ready
Events:
  Type     Reason        Age                   From              Message
  ----     ------        ----                  ----              -------
  Warning  UpdateFailed  66s (x16 over 3m52s)  external-secrets  cannot read secret data from Vault: Error making API request.

URL: GET https://vault-public-vault-replaced.replaced.z1.hashicorp.cloud:8200/v1/secret/secret
Code: 403. Errors:

* 1 error occurred:
  * permission denied

Any help would be greatly appreciated!

kubernetes azure-aks hashicorp-vault external-secrets-operator
Original Q&A
0

There are 0 best solutions below

Related Questions in KUBERNETES

Related Questions in AZURE-AKS

Related Questions in HASHICORP-VAULT

Related Questions in EXTERNAL-SECRETS-OPERATOR

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.