Error when trying to use Vault as a credential store in Boundary

We have succesfully set up Boundary and Vault independently. Now we want to use Vault as our credential store for Boundary.

When trying to create a new credential store using the Boundary UI, we use the following settings:

  • Type: Vault
  • Token: The token we got via the command-line during vaults setup
  • TLS skip verify: enabled
    Of course we als gave the credential store a name and the address where vault is reachable.

When clicking “save”, we get the following error:

credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: vault token is not renewable, vault token issue: error #3012

We aren’t sure how we can make the vault token renewable as it is automatically created during vaults initial setup. Is there a way to set a flag in the configs or make it renewable using the UI afterwards?

Any help would be appreciated!

By “the token we got during Vault setup”, do you mean the initial root token? Don’t use that for anything other than Vault setup.

Boundary needs a unique, orphan, periodic, renewable Vault token with specific permissions to set up each credential store you create (I think I remember it will specifically look for a Vault root token and reject it when it’s validating the token, but I might be wrong on that). Use that Vault root token yourself instead to create a token for that specific credential store with the right permissions and attributes.