Vault agent - permission denied

Hello All,

Good day. I am working on with a project where we have to pull secrets stored in HashiCrop Vault and get it rendered locally for app to read.

I decided to use vault agent instead of reinventing the wheel and configured it like below,

vault {
ca_path = “/var/run/secrets/”
address = “https://masked:8200
vault_agent_token_file = “/tmp/token”

pid_file = “/tmp/pid”

auto_auth {
method “cert” {
type = “cert”
mount_path = “auth/cert”
namespace = “ccib/ch”
config = {
client_cert = “/var/run/secrets/”
client_key = “/var/run/secrets/”
remove_secret_id_file_after_reading = “false”

sink “file” {
type = “file”
config = {
path = “/tmp/token”

template {
source = “/tmp/test.hcl”
destination = “/tmp/test.txt”

content of test.hcl,

{{ with secret “maskedpath/DATA” }}
{{ . }}
{{ end }}

When I run it with command,

vault-1.6.3 agent -config vault-agent.config -tls-skip-verify -log-level=trace

it is generating the token ( in /tmp/token) which is valid and then when rendering the secret it is throwing below error

URL: GET https://masked:8200/v1/maskedpath/DATA
Code: 403. Errors:

  • 1 error occurred:
    * permission denied

But at the same time when I try it via curl it is working perfectly fine,

curl --header “X-Vault-Token: $(cat /tmp/token)” --request GET https://masked:8200/v1/maskedpath/DATA

Need other advice.


It’s been a while since I’ve used the Vault agent but looking at my previous testing files I did not have a sink configured when pulling secrets with the agent itself.

Perhaps remove the sink to see if that starts working for you?

Also, I believe the remove_secret_id_file_after_reading parameter is unnecessary in this case as you’re not using AppRole for authentication.

What type of secret is it?
I’ve never seen {{ . }}
I use {{ .Data }} for all to be returned.