Trying to connect vault-secrets-operator through Cloudflare Zero Trust


I’ve setup Cloudflare Zero trust and I have a client_id and client_secret info that i need to put into my headers.
When trying locally, using vault login -header=... or vault kv metadata get -header=..., it works fine.

Now, I need to update my vault operator so that it uses the new CF headers. As I’m using helm chart, I updated the vault-operator default connection like this:

  enabled: true
    replicas: 1
    enabled: true
    address: ""
    skipTLSVerify: false
      CF-Access-Client-Id: "myid"
      CF-Access-Client-Secret: "mysecret"
    enabled: false

But it doesn’t work. I get the following issue:

Failed to check Vault seal status: Error making API request. URL: GET Code: 403. Raw Message: <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>cloudflare</center> </body> </html>

Any help would be appreciated :pray:

Also, question, do I have to update anything else to have it working (like each secret?) ?

[Best Guess]

To resolve the 403 Forbidden error when connecting the Vault Secrets Operator through Cloudflare Zero Trust, ensure the following:

  1. Cloudflare Zero Trust Access Policies: Confirm your access policies allow requests from the operator based on the CF-Access-Client-Id and CF-Access-Client-Secret.
  2. Helm Chart Configuration: Check the correctness of your Helm chart configuration, particularly the headers and their indentation.
  3. TLS Verification: If using a self-signed or unrecognized CA certificate, consider adjusting skipTLSVerify or adding the CA’s certificate to the trust store, though be cautious with security implications.
  4. Review Logs: Examine Cloudflare Access logs and Vault Secrets Operator logs for additional error details.
  5. Test Connectivity: Use tools like curl from within the cluster to test connectivity to Vault with the Cloudflare headers.

No need to update each secret configuration if the issue is related to authentication or network access. Focus on ensuring your Cloudflare and Helm configurations allow the operator to communicate with Vault.


Everything has been verified, double checked again and again :slight_smile: I posted an issue in VSO github and it seems that it comes from the VSO app itself.
They will fix it in v0.5.2 => VSO failed to connect through CloudFlare Zero Trust · Issue #622 · hashicorp/vault-secrets-operator · GitHub