{"id":"0f2558c6-a507-43ce-9383-1f4517a33ce9","task":"Authenticate to Vault using the Kubernetes auth method with a projected service account token and bound claims","domain":"vaultproject.io","steps":["Enable Kubernetes auth: 'vault auth enable kubernetes'","Configure the auth method with the cluster API server and CA cert: 'vault write auth/kubernetes/config kubernetes_host=https://:443 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt token_reviewer_jwt='","Create a Vault role bound to a specific service account and namespace: 'vault write auth/kubernetes/role/myapp bound_service_account_names=myapp-sa bound_service_account_namespaces=production token_policies=myapp-policy token_ttl=1h'","In the pod spec, mount a projected service account token with a specific audience: set 'serviceAccountToken.audience=vault' in the projected volume","From the pod, login using the projected token: 'vault write auth/kubernetes/login role=myapp jwt=$(cat /var/run/secrets/tokens/vault-token)'","Use Vault Agent in the pod sidecar with the 'kubernetes' auto-auth method pointing at the projected token path to automate login and renewal"],"gotchas":["The default service account token at '/var/run/secrets/kubernetes.io/serviceaccount/token' does not have an audience claim for Vault; always use a projected token with the correct audience","token_reviewer_jwt must belong to a service account with 'system:auth-delegator' ClusterRole; using a regular SA token causes 403 on TokenReview API calls","Kubernetes 1.24+ no longer auto-creates long-lived SA token secrets; the token_reviewer_jwt must come from a manually created Secret of type kubernetes.io/service-account-token"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/0f2558c6-a507-43ce-9383-1f4517a33ce9"}