mounting from Vault fails with "invalid role name"

[christian-2]

trafficstars

I am trying to get started with Secrets Store CSI Driver, Vault provider, and Vault. In my Vault, I have auth/approle/role/my-role defined; and in my Kubernetes, there is a SecretProviderClass with roleName: my-role.

Yet, the pod that references this SecretProviderClass currently cannot start (status: ContainerCreating); kubectl describe pod indicates the following error:

invalid role name "my-role" Warning FailedMount ... kubelet Unable to attach or mount volumes: 
unmounted volumes=[...], unattached volumes=[], failed to process volumes=[]: timed out waiting for the condition

What could cause the error invalid role name and how can I learn further details? I have found one reference, but it is probably unrelated.

[tomhjp]

I'm afraid only Kubernetes and JWT methods are supported at the moment: https://developer.hashicorp.com/vault/docs/platform/k8s/csi#authenticating-with-vault. If you still get the same error with those, please do post your SecretProviderClass config alongside the steps you went through to set up Vault and I can help debug further.

[christian-2]

I see: so roleName: 'app' apparently led me down the wrong path, namely Vault's approle auth method. But I now see that "The pod's service account must be bound to a Vault role and a policy granting access to the secrets desired" also refers to a Vault role (independently of approle).

I will try again with the kubernetes auth method and will close the issue if/when this succeeds (and if that's okay with you). Thanks for your quick response.