* restricted use token cannot generate child tokens

I am attempting to use approle to provide a token to allow provide access to terraform to azure.

I have been following this blog

I feel that I have two issues, both of which are very annoying.

first issue is that I the token being generated cannot generate a child token. the second is that my secret_id keeps timeing out. meaning that I have to manually write out a new secret id. this is with monotonous regularity.

I have even set the TTLs on the approle and token to 0 which I think should mean “do not time out”

I am certain that the issue is with Vault and not my Terraform code as I am getting responses from terraform that appear consistent.

I am using Vault 1.3.0 running on Centos 7 in AWS. this is only a dev environment and is not running in HA so there is no shared storage.

I have configured the azure Secret Engine there doesn’t seem to be anything that can go wrong there but I followed these instructions

https://www.vaultproject.io/docs/secrets/azure

I created against a pre-existing Service Principle account.

This appears to have worked, however when I issue a
vault read /azure/creds/Azure-Terraform (my role name)

The output I receive is not as the article,
I only receive the Client_id and the Client_secret, no Lease_id, Lease_duration or Lease_renewable details.

Next I created an AppRole, and this is where I think I may have got confused.

when I issue out a vault read /auth/approle/Azure-Terraform/role-id
I receive a valid response that contains the role ID
when I issue out a vault write -force /auth/approle/Azure-Terraform/secret-id
again I receive a valid response and a new secret-id and secret_id_assessor are written out

I have created a policy and assigned it to the appRole

this policy has since been changed to allow everything and still it does not work.

from the Terraform side when Issue a terraform plan I receive one of two errors depending upon where in the cycle the secret_id is

firstly when I have a valid secret_ID

Error: failed to create child token: error making API request … * restricted use token cannot generate child token

if the secret_ID is expired I receive the following error

Error making API request … * Invalid Secret ID

As expected. the has lead me to believe that my terraform config is correct

Hi @TomHowarth

I went through this with you but I will share our learnings here for other community members to benefit from.

The first issue you are experiencing is the TTL for the secret_id. When we set the value to zero, it uses the default TTL settings of the AppRole. So if you have a default TTL of 30 seconds for example, a zero value will also default to 30 seconds. To get around that, I recommend increasing the TTL as appropriate for your requirements.

The second issue is the fact that your AppRole doesn’t have the ability to create child tokens. I understand you followed the example laid out in the documentation, which included a setting token_num_uses=10. When this setting is configured with a non-zero value, the token created by the approle becomes a restricted use token or limited use token. Limited-use tokens cannot create child tokens or otherwise those child tokens may escape the use limit intent.

So to solve that issue, this setting should be configured to 0. This could probably be made a bit clearer in the documentation so I will go ahead and open up a pull request to address that.

I’ve opened this PR here to add to the documentation: https://github.com/hashicorp/vault/pull/9397