Error: failed to lookup token, err=Error making API request

Vault
1

Hello team,
I get the following error message “Error: failed to lookup token, err=Error making API request” after executing the terraform plan command

URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
│ Code: 403. Errors:

│ * permission denied

│ with provider[“Terraform Registry”],
│ on main.tf line 12, in provider “vault”:
│ 12: provider “vault” {

Here is the code in the main.tf file

provider "vsphere" {
  vsphere_server = var.vsphere_server
  user           = var.vsphere_user
  password       = data.vault_generic_secret.vcenterpass.data["password"]
  allow_unverified_ssl = true
}

provider "vault" {
  address         = "http://127.0.0.1:8200/"
  skip_tls_verify = true
  token           = var.vault_token
}

data "vault_generic_secret" "vcenterpass" {
  path = "vcenter/vcenter_pass"
}

Vault is installed on a Windows environment.
The variables ‘VAULT_ADDR’, ‘VAULT_TOKEN’, ‘TF_VAR_vault_token’ have been created.
The main.tf file is based on the variables.tf and terraform.tfvars files.
Here are their contents :

variables.tf

variable "vsphere_server" {}
variable "vsphere_user" {}
variable "vsphere_password" {}
variable "vault_token" {}

terraform.tfvars

vsphere_server = "xxx.domain"
vsphere_user = "xxx@domain"
vsphere_password = "xxx"
vault_token = "TF_VAR_vault_token"

The default ACL policy in Vault

# Allow create tokens
path "auth/token/create" {
    capabilities = ["create" , "read" , "list"]
}

# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["create" , "read" , "list"]
}

# Allow tokens to renew themselves
path "auth/token/renew-self" {
    capabilities = ["update"]
}

The Vault configuration file config.hcl

disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
   address          = "0.0.0.0:8200"
   tls_disable      = 1
   #tls_cert_file = "C:/Users/xxx/Downloads/Terraform/Vault/certs/vaultterraform.crt"
   #tls_key_file = "C:/Users/xxx/Downloads/Terraform/Vault/certs/vaultterraform.key"
    
}
storage "file" {
   path  = "C:/Users/xxx/Downloads/Terraform/Vault/data"
 }
api_addr         = "http://0.0.0.0:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true

Does anyone see what the problem is ?
I’m both a newbie and not at ease with the English language.
Have a good day.
Thank you for your indulgence and future help.

2

You have configured Terraform to send the literal string TF_VAR_vault_token to Vault as if it was a Vault token. TF_VAR_vault_token is of course not a valid Vault token.

Delete from main.tf:

Delete the environment variable:

Delete from variables.tf:

Delete from terraform.tfvars:

Also:

You have modified the default ACL policy in Vault in many incorrect ways. This will cause you lots of problems in future. You should undo this, and return it to the version that Vault automatically configures in a new Vault.

3

Thanks @maxb for your reply.
I’ve deleted the variables requested in the main.tf, variables.tf, terraform.tfvars files and the Windows environment variable ‘TF_VAR_vault_token’.

It’s ok.

data.vault_generic_secret.vcenterpass: Reading…
data.vault_generic_secret.vcenterpass: Read complete after 0s [id=vcenter/vcenterpass]

Regarding the default ACL policy, to avoid having to start all over again, would it be possible to have the default policy as an example here ?

I also have a supplementary request

To start Vault in a Windows environment, I run the following command :

vault server -config="C:/Users/xxx/Downloads/Terraform/Vault/config.hcl"

To connect to the Vault GUI, I use the url http://127.0.0.1:8200 from a browser.
Each time I launch a service I’m asked to unseal.
I have to manually enter 3 keys from the JSON file downloaded when Vault was initialised, plus the root token.
Is there a simple solution to launch both Vault and d’unseal automatically ?

Thank you.

4

This can be obtained by starting up a Vault dev server:

vault server -dev

and querying it:

vault policy read default

or viewing it in GitHub: https://github.com/hashicorp/vault/blob/v1.14.1/vault/policy_store.go#L69-L160

This is an huge topic. There is no simple answer.

The requirement to unseal is a fundamental part of how Vault protects against someone who can directly read the Vault storage taking a copy and reading all the secrets outside of Vault’s control.

However, if you’re not running Vault in a real production setup, then:

  • It is pointless using 3 keys if you have all of them. You might as well vault operator rekey changing the default 3-of-5 key setup to 1-of-1.
  • If you have no need for the protection granted by unseal keys, nothing stops you writing your own script, to start Vault, and then submit the keys.
5

Thank you Max for your reply.
I reconfigured the keys using a rekeying operation (setup to 1-of-1).
Do you have an example of the script you’re talking about ?
The aim is to launch Vault at Windows startup by considering an unseal action with the generated key.
Thanks for your help.