I’m working to setup ArgoCD to pull secrets out of Hashicorp Vault using ArgoCD’s Vault plugin. Although I am able to read the secrets using the vault CLI in the approle I’ve created I’m having issues requesting secrets back from the Vault using this plugin.
What I’ve done:
I’ve created an approle (argocd) and assigned a policy to it (secret-ro) to ensure that it can read from secrets in the secret/test path.
Now when I run the cat secret.yaml | argocd-vault-plugin -c vars.env generate - command I expect to have successfully replaced the <path:secret/data/test#ingress> value with the secret stored in the vault. Instead I am getting the following error:
I have tried a different method of authenticating, by creating the token and utilising that in the argocd-vault-plugin command (as documented here) which is providing a different error message:
Error: Replace: could not replace all placeholders in Template:
Error making API request.
URL: GET https://redacted.hashicorp.cloud:8200/v1/secret/data/test
Code: 403. Errors:
* 1 error occurred:
* permission denied
So at this point I thought my policy configuration might have been incorrect, so I’ve logged into the vault CLI (vault login) using the same token that argocd-vault-plugin is using and verified that I can read the secret:
Now I’m coming up blank. I’m not sure what else I can look into to try and resolve this issue so any pointers or insight into this would be greatly appreciated. I imagine there’s something small and silly that I’ve missed.
I have listed the steps taken to attempt to get this working below.
Vault
Enable approle authentication method
vault auth enable approle
Create new approle
$ vault write auth/approle/role/argocd-vault-plugin token_num_uses=0 secret_id_num_uses=0 policies="argocd-vault-plugin-policy"
Success! Data written to: auth/approle/role/argocd-vault-plugin
Get approle role-id and secret-id and store in vars.env file
$ vault read auth/approle/role/argocd-vault-plugin/role-id
Key Value
--- -----
role_id role-id-1234
$ cat secret.yaml | argocd-vault-plugin generate -
Error: Replace: could not replace all placeholders in Template:
Error making API request.
URL: GET https://public-vault-address.hashicorp.cloud:8200/v1/argocd/data/argocd-vault-plugin/test
Code: 403. Errors:
* 1 error occurred:
* permission denied
I have never used HCP Vault - however I understand from other forum posts here, that in HCP Vault, customers don’t have access to the root namespace, and everything happens under a child namespace called admin.
I wonder if your problems are because your manual shell CLI environment is configured for this, but ArgoCD is not.
Beyond that, I’d suggest checking the Vault audit log, to confirm the exact details of the requests that are being denied.
I don’t see anything glaring wrong here – you didn’t mention the version of Vault you were using … also are you actually using HCP? You didn’t mention it but your URL look “cloud-ish”, if so you’re missing your namespace parameters everywhere … which would be very odd as your other commands are working.
Two items that I highly recommend using when doing access issues:
A) Turn on your audit device, and check to see what is exactly being accessed and denied. That’ll tell you if your policy and path or your token policy and policy name don’t match.
B) VAULT_TOKEN=<your root or admin token> vault token capabilities <token to test> <direct path>
These will help you diagnose where the issue might be.
So assuming you are usiong the approle token – In your case B should result in:
I had not passed in the namespace that I was using (admin in this case) and the argocd-vault-plugin defaults to root. That solved the main issue.
The ArgoCD version of 2.4.0 has introduced changes to their environment variable handling that breaks the vault plugin. Deploying ArgoCD on 2.4.3 resolved that issue.