Hashicorp Vault RA mode : vault token not automatically renewed

[itmwiw]

Steps to Reproduce

1- Follow the official documentation to configure step-ca in hashicorp vault ra mode:
https://smallstep.com/docs/step-ca/registration-authority-ra-mode/#hashicorp-vault-ra-mode
2- Use kubernetes auth type instead of approle auth type.
3- Generate some certificates using acme provisioner.
4- Wait for more than 1 hour: the one hour waiting time is for Vault's token to expire (ttl=3600s)
5- Generate some more certificates

Your Environment

Kubernetes 1.23

Expected Behavior

Smallstep automatically renew vault's token using SA token and the step 5- generates certificates as it did in step 3-

Actual Behavior

step 3- works fine but step 5- gets the following error:
"error finalizing order: error signing certificate for order MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq: authority.Sign; error creating certificate: error signing certificate: Error making API request.\n\nURL: PUT https://vault-kubeshift.apps.okd.advatys.com/v1/pki/sign/rsa-role\nCode: 403. Errors:\n\n* permission denied" fields.time="2023-01-09T16:22:17Z" method=POST name=ca nonce=bnQ1WmdKaUZTQXR1bWRIWlJjanVMclFBNmd0bU96VHQ path=/acme/acme/order/MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq/finalize protocol=HTTP/1.1 referer= remote-address=10.129.3.45 request-id=ceu3uedst9ns73a0em3g response="

Additional Context

Vault's token ttl=3600s

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[maraino]

Vault's client can't automatically reload a token provided by Vault's KubernetesAuth AuthMethod. So instead, we will need to load the token in our code and set the client token again when necessary.