Permission issue: 403 using the client, 200 using curl


I’ve setup a demo kubernetes cluster and installed vault via helm in HA mode.
I forward to the first instance:

kubectl --namespace vault port-forward vault-0 8200

Now I’m facing the issue, that the vault cli application allows me to login, but no command is working. If im using curl instead, everything works as expected.

❯ vault login --address=
Token (will be hidden):
WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.Qfgt1c651gcWbwLKIHHZvPHu
token_accessor       UkApROifWR9l4wJkPyUrfKCQ
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

❯ vault token lookup
Error looking up token: Error making API request.

Code: 403. Errors:

* permission denied

❯ curl -k -X GET -H 'X-Vault-Token:s.Qfgt1c651gcWbwLKIHHZvPHu' ""

Looks like you have a VAULT_TOKEN environment variable set per the warning after the vault login command.

If that’s different than the token in your ~/.vault-token file then that would result in your 403 message via CLI but not API.