Single vault for multiple scopes

Hi, I’m setting up multiscope environment, but I’d like to use the same vault as a different boundary_credential_store_vault in each scope.
But when I try to create store with the same “address” in the second scope I get error messge:
{"kind":"InvalidArgument","message":"Invalid request. Request attempted to make second resource with the same field value that must be unique."}
Seems there are some kind of restrictions are in place.
One workaround that comes to my mind is using different FQDNs in different scopes for the same vault, but that seems ugly
I’ll be gratful for some advice here

Hey @dmitryroshchin thanks for reaching out.
When you create the second credential store in another scope, is it using the same token that was used to create the first credential store ? Would you be able to try with a different token ?


It worked with different tokens!
Thanks a lot @prsekar !

1 Like

Hey @prsekar,and now I need to do something like this:

resource "boundary_credential_store_vault" "redis_vault" {
  for_each    = toset(
  name        = "redis_vault"
  description = "Vault credential"
  address     = "https://vault-url"
  token       = "token"
  scope_id    = boundary_scope.service_scope["${each.value}"].id

Because I need to have this vault creds in multiple scopes. This time I really need to use the same token.
I cloud use 20 pregenerated tokens as ugly workaround, but it’s just horrible

Hey @dmitryroshchin
Would it be possible for you to generate a token per scope (maybe per credential library) using the vault_token resource ? Let us know how this goes.

Thanks to my colleague @louisruch for suggesting this option.