Vault "could not decode base64 key's signature" mysql-keyring vault plugin

I’m doing a POC for mysql using they keyring pluing I have setup a vault server and approle/auth agent I can get the token and inject it on my keyring conf file, but when bootstraping the first get node I get this error.

Been looking for something similar to this error I haven’t found a similar topic.

Here are my policies.

Permits token creation for app role

path “auth/token/create” {
capabilities = [“update”]

path “PRD/config” {
capabilities = [“read”]

path “PRD/*” {
capabilities = [“create”, “read”, “delete”, “update”, “list”]

path “PRD/metadata/percdbpoc01/*” {
capabilities = [“list”]

path “PRD/data/percdbpoc01/*” {
capabilities = [“create”, “read”, “delete”, “update”, “list”]

I have no experience with the MySQL keyring_vault plugin, so I am not sure I can be of help, but there are a couple of things I see worth pointing out in your policy:

I don’t see any mention of needing this permission in the relevant documentation - I would suggest removing it unless you locate a reason it is required. It is not a security hole directly, but it is an extra complexity most users don’t need.

You have locked down the metadata operations to list only. Why? I am not certain, but this may cause some of your problems.

This block is wholly redundant, since these permissions are already implied by the PRD/* rule.

Thanks for your input.

The auth portion is because I’m using an approle ID along with role/secret id to generate a token and bash script to update the keyring_conf file on the Mysql Server, but even with the policies corrected I got the same error message when I bootstrap the first server: