auth_kubernetes_roles.tf

@@ -61,20 +61,13 @@ resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
 }
 
 resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend   = vault_auth_backend.kubernetes.path
-  role_name = "ceph-csi"
-  bound_service_account_names = [
-    "ceph-csi-rbd-csi-rbd-provisioner",
-    "ceph-csi-cephfs-csi-cephfs-provisioner",
-  ]
-  bound_service_account_namespaces = [
-    "csi-cephrbd",
-    "csi-cephfs",
-  ]
-  token_ttl = 60
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "ceph-csi"
+  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
+  bound_service_account_namespaces = ["ceph-csi"]
+  token_ttl                        = 60
   token_policies = [
     "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
-    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
   ]
   audience = "vault"
 }

policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl

@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
-  capabilities = ["read"]
-}