I have a pipeline that deploys Vault configs via Terraform
It have this policy for my testing:
vault policy write terraform-gitlab -<<EOF
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/auth/*" {
capabilities = ["create", "update", "delete"]
}
path "sys/auth" {
capabilities = ["read"]
}
path "sys/auth/auth/+/+" {
capabilities = ["create", "update", "delete"]
}
path "sys/policies/acl" {
capabilities = ["read"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}
EOF
Error I am running into:
vault_okta_auth_backend.okta: Creating...
Error: error writing to Vault: Error making API request.
URL: POST <REMOVED>/v1/sys/auth/auth/okta/config
Code: 403. Errors:
* 1 error occurred:
* permission denied
on dev/auth-methods/auth-methods.tf line 6, in resource "vault_okta_auth_backend" "okta":
6: resource "vault_okta_auth_backend" "okta" {
ERROR: Job failed: command terminated with exit code 1
My terraform code is:
resource "vault_okta_auth_backend" "okta" {
description = "Okta auth backend"
organization = "oktaorg.com"
token = var.okta_token
ttl = "1h"
max_ttl = "12h"
path = "auth/okta/config"
group {
group_name = "DevOps"
policies = ["h2_devops"]
}
}
What am I missing from my policy?