I’m doing a POC for mysql using they keyring pluing I have setup a vault server and approle/auth agent I can get the token and inject it on my keyring conf file, but when bootstraping the first get node I get this error.
I have no experience with the MySQL keyring_vault plugin, so I am not sure I can be of help, but there are a couple of things I see worth pointing out in your policy:
I don’t see any mention of needing this permission in the relevant documentation - I would suggest removing it unless you locate a reason it is required. It is not a security hole directly, but it is an extra complexity most users don’t need.
You have locked down the metadata operations to list only. Why? I am not certain, but this may cause some of your problems.
This block is wholly redundant, since these permissions are already implied by the PRD/* rule.
The auth portion is because I’m using an approle ID along with role/secret id to generate a token and bash script to update the keyring_conf file on the Mysql Server, but even with the policies corrected I got the same error message when I bootstrap the first server: