I am attempting to use approle to provide a token to allow provide access to terraform to azure.
I have been following this blog
I feel that I have two issues, both of which are very annoying.
first issue is that I the token being generated cannot generate a child token. the second is that my secret_id keeps timeing out. meaning that I have to manually write out a new secret id. this is with monotonous regularity.
I have even set the TTLs on the approle and token to 0 which I think should mean “do not time out”
I am certain that the issue is with Vault and not my Terraform code as I am getting responses from terraform that appear consistent.
I am using Vault 1.3.0 running on Centos 7 in AWS. this is only a dev environment and is not running in HA so there is no shared storage.
I have configured the azure Secret Engine there doesn’t seem to be anything that can go wrong there but I followed these instructions
I created against a pre-existing Service Principle account.
This appears to have worked, however when I issue a
vault read /azure/creds/Azure-Terraform (my role name)
The output I receive is not as the article,
I only receive the Client_id and the Client_secret, no Lease_id, Lease_duration or Lease_renewable details.
Next I created an AppRole, and this is where I think I may have got confused.
when I issue out a vault read /auth/approle/Azure-Terraform/role-id
I receive a valid response that contains the role ID
when I issue out a vault write -force /auth/approle/Azure-Terraform/secret-id
again I receive a valid response and a new secret-id and secret_id_assessor are written out
I have created a policy and assigned it to the appRole
this policy has since been changed to allow everything and still it does not work.