Permission denied on Vault Terraform provider token creation
Question
I am using Vault provider in Terraform IaC code like this:
provider "vault" {
address = var.vault_address
auth_login {
path = "auth/approle/login"
parameters = {
role_id = var.cms_vault_role_id
secret_id = var.cms_vault_secret_id
}
}
}
I pass an address, like: https://www.vault.organization.com and correct role_id and secret_id . When i request a token via HTTP request it works , but in this provider case i get 403 permission denied error, like this:
│ Error: failed to create limited child token: Error making API request.
│
│ URL: POST https://vault.organization.com/v1/auth/token/create
│ Code: 403. Errors:
│
│ * 1 error occurred:
│ * permission denied
│
│
│
│ with provider["registry.terraform.io/hashicorp/vault"],
│ on providers.tf line 23, in provider "vault":
│ 23: provider "vault" {
What wrong with my configuration?
Terraform version ">= 0.13"
Vault provider version "3.7.0"
1 answers
solution1
0 2022-07-20 15:15:21
The 403 error does not come from the path auth/approle/login , but from auth/token/create .
Terraform will try to create a child token is an existing token is found on the in the environment. I think your script is picking up an old token and it fails before ever reaching your code.
Try this (adjust to your environment):
- Remove tokens from the token helper (
rm -v ~/.vault-token) - Clear the token environment variable (
unset VAULT_TOKEN) - Debug your configuration with
vault print token
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.