Vault agent error 403 on every startup


we use vault agent injector and we see in the logs that on each start the container produces the following logs:

==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

                    Cgo: disabled
            Log Level: info
2020-09-30T10:56:27.938Z [INFO]  sink.file: creating file sink
2020-09-30T10:56:27.938Z [INFO]  sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2020-09-30T10:56:27.939Z [INFO]  template.server: starting template server
                Version: Vault v1.4.2

2020/09/30 10:56:27.939175 [INFO] (runner) creating new runner (dry: false, once: false)
2020/09/30 10:56:27.939653 [INFO] (runner) creating watcher
2020-09-30T10:56:27.939Z [INFO]  auth.handler: starting auth handler
2020-09-30T10:56:27.939Z [INFO]  auth.handler: authenticating
2020-09-30T10:56:27.940Z [INFO]  sink.server: starting sink server
2020-09-30T10:56:28.048Z [INFO]  auth.handler: authentication successful, sending token to sinks
2020-09-30T10:56:28.048Z [INFO]  auth.handler: starting renewal process
2020-09-30T10:56:28.048Z [INFO]  template.server: template server received new token
2020/09/30 10:56:28.048087 [INFO] (runner) stopping
2020/09/30 10:56:28.048128 [INFO] (runner) creating new runner (dry: false, once: false)
2020-09-30T10:56:28.048Z [INFO]  sink.file: token written: path=/home/vault/.vault-token
2020/09/30 10:56:28.048395 [INFO] (runner) creating watcher
2020/09/30 10:56:28.048471 [INFO] (runner) starting
2020-09-30T10:56:28.073Z [INFO]  auth.handler: renewed auth token
2020/09/30 10:56:28.073819 [WARN] failed to check if auth/token/lookup-self is KVv2, assume not: Error making API request.

URL: GET https://vault.vault.svc:443/v1/sys/internal/ui/mounts/auth/token/lookup-self
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "auth/token/lookup-self/"
2020/09/30 10:56:28.164004 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/token"

Is this normal behavior or something I should be worried about?
It seems like everything is working correctly, but the error does raise my attention.


I’m running into this also, I’ve tried adding a policy that grants read access to auth/token/lookup-self but that doesn’t appear to help.

Yes, I tried the same without being able to get rid of the error message.

Same. I also added to the policy to no avail. Any ideas?

This policy seems to work for me

path "token/lookup-self" {
  capabilities = ["read"]
1 Like

That rule worked for me. Thanks mate!