Permission denied using admin token

Hello everyone!
I’m trying to make a call to the “/v1/sys/mounts” endpoint with the admin token I got from the vault (the token has root permission, I’ve checked it in lookup-self, it has the hcp_root policy). However I keep getting the same error: “1 error occurred:\n\t* permission denied\n\n”.

I’ve made sure that the header is not misspelled or the token is incorrect by the way.
Anyone has any idea of what is happening?

Thanks in advance!

Can you provide the actual command you’re using (redacting the token and sensitive URL bits)?

1 Like

I’ve tried using both the cli and the api.

The cli command: vault secrets list (previously exported VAULT_ADDR & VAULT_TOKEN)

The api call: {{host including the port}}/v1/sys/mounts (the header X-Vault-Token is set to the admin token)

Looks like you’re using HCP Vault, is that correct? If so, I’ve not used it yet and am only making a guess on how to solve, but do you happen to need to specify the namespace header as well?

From what I’m reading you might need to add this to your API command (but the docs say it should be embedded in your token so I’m not too sure):

"X-Vault-Namespace: admin"

Otherwise someone with HCP Vault experience would have to provide guidance.

Jeff is right.
Though unsure what it means by the namespace embedded in the token - don’t think that is right…
But - you definitely have to set the namespace (via x-vault-namespace, or thru pathing) in HCP Vault.

Re: embedded namespace id in the token - see the note immediately above this section:

Yep, you both are totally right, since the error I got was “permission denied” I thought that the namespace had nothing to do with it as I’m using the admin token (just testing purposes). With the right namespace works fine.
Thanks so much!!!

1 Like