I have deployed vault 1.14.3 on an Ubuntu 18.04 server. Everything seems fine, but when I try to run vault read secret/path/to/secret I get:
URL: GET https://vault.mycompany.com:8200/v1/secret/path/to/secret Code: 403. Errors: * permission denied```
If I explicitly use the agent-token file that is output when running Vault Agent (by doing VAULT_TOKEN={agent-file-contents} followed by vault read secret/path/to/secret, I am able to read the secret just fine.
I think the agent is not using the agent-token file to make its requests, and am out of ideas for how to fix it. One thing I noticed is the vault.env file is empty, and not sure if this should be the case. Here is the vault.hcl file that is being used as the agent config:
pid_file = "./pidfile"
log_file = "/var/log/vault/agent.log"
log_level = "trace"
log_rotate_bytes = 10000000
log_rotate_max_files = 10
vault {
address = "https://vault.mycompany.com:8200"
}
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}
auto_auth {
method "approle" {
mount_accessor = "auth/approle"
config = {
role_id_file_path = "/etc/vault.d/role-id"
secret_id_file_path = "/etc/vault.d/secret-id"
}
}
sink "file" {
config = {
path = "/etc/vault.d/agent-token"
}
}
}
cache {
use_auto_auth_token = true
}