Integration of HCP Vault and Argocd

I want to inject a secret when deploying an application by linking HCP Vault and Argocd.

I want to use Argocd-vault-plugin

I am planning to use App-role as the authentication method.

My settings are like this

  • app-role setting
resource "vault_auth_backend" "avp" {
  type = "approle"
  path = "avp"
}

resource "vault_approle_auth_backend_role" "avp" {
  backend        = vault_auth_backend.avp.path
  role_name      = "avp-role"
  token_policies = [var.avp_token_name, vault_policy.demo-policy.name]
}

resource "vault_approle_auth_backend_role_secret_id" "avp" {
  backend   = vault_auth_backend.avp.path
  role_name = vault_approle_auth_backend_role.avp.role_name
}
  • argocd-vault-plugin-credentials secret
resource "kubernetes_secret" "secret_argocd_argocd_vault_plugin_credentials" {
  metadata {
    name      = "argocd-vault-plugin-credentials"
    namespace = "argocd"
  }

  data = {
    AVP_AUTH_TYPE: "approle"
    AVP_ROLE_ID: vault_approle_auth_backend_role.avp.role_id
    AVP_SECRET_ID: vault_approle_auth_backend_role_secret_id.avp.secret_id 
    AVP_MOUNT_PATH = vault_auth_backend.avp.path

    AVP_TYPE      = "vault"
    VAULT_ADDR    = "https://saas_domain:8200"
    VAULT_NAMESPACE = "admin"
  }

  type = "Opaque"

  depends_on = [helm_release.argocd]
}

However, an error occurs when deploying the argocd application as shown below.

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `sh -c "helm template $ARGOCD_APP_NAME -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |\nargocd-vault-plugin generate -s argocd:argocd-vault-plugin-credentials -\n"` failed exit status 1: Error: Error making API request. Namespace: admin URL: PUT https://saas_domain:8200/v1/avp/login Code: 403. Errors: * permission denied Usage: argocd-vault-plugin generate <path> [flags] Flags: -c, --config-path string path to a file containing Vault configuration (YAML, JSON, envfile) to use -h, --help help for generate -s, --secret-name string name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format <namespace>:<name> --verbose-sensitive-output enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr

The important thing among the error messages is that 403 permission denied is confirmed.

I tried approle logging in with vault cli, and also confirmed that logging in was normal.

What should I check first?