Permission denied on Vault Terraform provider token creation

Question

I am using Vault provider in Terraform IaC code like this:

provider "vault" {
  address = var.vault_address

  auth_login {
    path = "auth/approle/login"

    parameters = {
      role_id   = var.role_id
      secret_id = var.secret_id
    }
  }
}

I pass an address, like: https://www.vault.organization.com and correct role_id and secret_id. When i request a token via HTTP request it works, but in this provider case i get 403 permission denied error, like this:

│ Error: failed to create limited child token: Error making API request.
│ 
│ URL: POST https://vault.organization.com/v1/auth/token/create
│ Code: 403. Errors:
│ 
│ * 1 error occurred:
│   * permission denied
│ 
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on providers.tf line 23, in provider "vault":
│   23: provider "vault" {

What wrong with my configuration?

Terraform version ">= 0.13"
Vault provider version "3.7.0"

Are the CLI and Terraform provider using the same environment? — Matthew Schuchard, Jul 19 '22 at 10:55
did you already try to just use `path = "auth/approle"` ? and did you already use correct port in the vault address ? — kholisrag, Aug 23 '22 at 17:10

score 3 · Answer 1 · answered Oct 18 '22 at 03:36

This issue stems from the Vault Provider's need to create an intermediate / child token, which as it doesn't have permission due to how the policy is setin the Terraform provider, it will always fail.

In the most recent releases they have introduced the option to skip_child_token which solves this. (https://github.com/hashicorp/terraform-provider-vault/issues/29#issuecomment-988121638)

Additionally there seem to be an undocumented requirement to place the namespace in both the provider and the auth_login blocks, I get 403 errors if I don't add them both.

provider "vault" {
  address = var.vault_address
  namespace = "admin"
  skip_child_token = true

  auth_login {
    path = "auth/approle/login"
    namespace = "admin"

    parameters = {
      role_id   = var.cms_vault_role_id
      secret_id = var.cms_vault_secret_id
    }
  }
}

_Additionally there seems to be an undocumented requirement to place the namespace in both the `provider` and the `auth_login` blocks, I get 403 errors if I don't add them both._ Hmm, that was the problem for me. I wanted to supply the namespace with env var: `VAULT_NAMESPACE`, but it seems the `auth_login` block did not pick the value from that. — zingi, Dec 09 '22 at 11:54

score 1 · Answer 2 · answered Jul 20 '22 at 15:15

The 403 error does not come from the path auth/approle/login, but from auth/token/create.

Terraform will try to create a child token is an existing token is found on the in the environment. I think your script is picking up an old token and it fails before ever reaching your code.

Try this (adjust to your environment):

Remove tokens from the token helper (rm -v ~/.vault-token)
Clear the token environment variable (unset VAULT_TOKEN)
Debug your configuration with vault print token

Permission denied on Vault Terraform provider token creation

2 Answers2