Unsupport path when enabling TOTP MFA method

joe.sremba · June 8, 2023, 7:37pm

Receiving the following error when trying to enable TOTP MFA for Vault.

Error: error writing to Vault at sys/mfa/method/totp/gfs_mfa, err=Error making API request.
14:26:22  
14:26:22  URL: PUT https://<VAULT URL>/v1/sys/mfa/method/totp/gfs_mfa
14:26:22  Code: 404. Errors:
14:26:22  
14:26:22  * 1 error occurred:
14:26:22  	* unsupported path
14:26:22  
14:26:22  
14:26:22  
14:26:22    on mfa_totp.tf line 1, in resource "vault_mfa_totp" "mfa_totp":
14:26:22     1: resource "vault_mfa_totp" "mfa_totp" {

We are using Vault open source and are currently on version 1.12.2 (although I’ve received the same error on 1.13.2).
We are using Terraform, so we’re trying to apply this change with the vault_mfa_totp resource.
I understand from this post (sys/mfa/method/okta/my_okta --- unsupported path · Issue #7671 · hashicorp/vault · GitHub) that the sys/mfa endpoint is only available in Vault Enterprise.

How are we to change the endpoint to apply this feature in Vault using Terraform?

Thank you

joe.sremba · June 8, 2023, 8:21pm

Follow-up…

I was able to get the TOTP MFA method configured in Vault open source using the Terraform vault_generic_endpoint via the code below since this resource supports a path argument.

resource "vault_generic_endpoint" "totp" {
  path           = "/identity/mfa/method/totp"
  disable_read   = true
  disable_delete = true
  data_json      = <<EOT
{
  "algorithm":"SHA1",
  "digits":"6",
  "issuer":"vault",
  "key_size":"20",
  "name":"totp",
  "period":"30",
  "qr_size":"200",
  "skew":"1"
}
EOT
}

While this works, this should be doable using vault_mfa_totp.

maxb · June 9, 2023, 11:50am

That resource is specific to a kind of MFA that is only present in Vault Enterprise.

Configuring this shouldn’t be possible using that resource, but there ought to be another resource to do it, and the documentation should be made better so it is less confusing.

I believe there have been no less than three different implementations of MFA in Vault over the years, some Enterprise-only, some not, so there are lots of docs out there which can lead people in false directions.

maxb · June 9, 2023, 11:51am

UPDATE: The vault_identity_mfa_totp resource already exists: Terraform Registry

joe.sremba · June 9, 2023, 12:03pm

Thank you @maxb

I just found this resource this morning and already have it working.