Update docs so that users know that kubernetes roles will require the (#31043)

audience field in Vault 1.21+.
2026-02-19 02:49:18 -05:00 · 2025-06-19 16:51:13 -07:00 · 2025-06-19 16:51:13 -07:00 · c4467ff9e5
commit c4467ff9e5
parent a101685b14
2 changed files with 6 additions and 2 deletions
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@ -146,10 +146,10 @@ entities attempting to login.
  [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported.
  To use label selectors, **Vault must have permission to read namespaces** on the Kubernetes
  cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
- `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
+- `audience` `(string: "")` - Audience claim to verify in the JWT. Will be required in Vault 1.21+.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
  Valid choices are: `serviceaccount_uid` and `serviceaccount_name`.
-  
+
  When you specify `serviceaccount_uid`, Vault uses a machine generated UID from
  the service account as the identity alias name. Using a service account UID is
  both the default and the recommended method as it the more secure option.
--- a/website/content/docs/auth/kubernetes.mdx
+++ b/website/content/docs/auth/kubernetes.mdx
@ -107,9 +107,13 @@ management tool.
      bound_service_account_names=myapp \
      bound_service_account_namespaces=default \
      policies=default \
+      audience=myapp \
      ttl=1h
  ```

+  !> **Note:** `audience` will be a required field in Vault 1.21+. This field is used
+  to verify the JWT token's audience claim.
+
  This role authorizes the "myapp" service account in the default
  namespace and it gives it the default policy.