When attempting to put in keys generated by google-authenticator cli I get the error below, an example of a key is ‘NN4UYFOCKUK2PEF6MU3TZ3YM6Y’. This key works fine in the google-authenticator android app as well as the linux package ‘oathtool’
REQUIRED: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted.
Because google strip off the padding you need to add it back in by appending ====== to your TOTP secret string when adding it to Vault before it will work. The code google uses is technically nearly-valid base32, however it is missing the = padding on the end.
So when entering the code you’ve provided into vault you must use NN4UYFOCKUK2PEF6MU3TZ3YM6Y====== for example so Vault can successfully decode the base32 and output valid 6-digit codes.
That “equals” padding is missing and Google Authenticator is OK with that. Adding it back for Vault does the trick.