Hi,
I have setup Hashicorp Vault. However, I get this error when trying to connect to it from TeamCity:

Cannot log in to HashiCorp Vault using APPROLE method: permission denied

Is there a step I am missing somewhere?

Thanks

Are you able to log in manually using the role ID and secret ID using the CLI or API call?

If you haven’t reviewed these before, they may help:

Ok I configured most of this but I get the error still. My policy has this:

Write test data

Set the path to “secret/data/mysql/*” if you are running kv-v2

path “secrets/kv/*” {
capabilities = [ “create”, “read”, “update”, “delete”, “list” ]
}

However, what should this path be? How do I get it?

The path in your policy depends on the secrets engine, the path you enabled it at, and the secrets you have written to the secrets engine.

However, if you’re getting permission denied on login, the policy isn’t coming into play yet.

Once you can log in, then the policy will define what is accessible.

For example, if you enabled the KV v1 secrets engine at path secret and wrote a secret named creds you path is secret/creds.

If you enabled the KV v2 secrets engine, you need to add data to the path so it would be
secret/data/creds.

This is a tutorial on policies:

So the issue must be with the token creation then? I.E. the first link you sent.

All fixed, I was in the wrong namespace!

You tricked me! 403 is so often namespace related and I didn’t think to ask Glad you got it sorted, and apologies for not getting back to you sooner, amd having intel >> arm…migration fun.