Trying to setup credential brokering for boundary using vault cloud, but keep getting the following error when trying to create the stores.
Error from controller when performing create on vault-type credential store
Error information:
Kind: Internal
Message: credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
unknown: error #0: Error making API request.```
anyone hit this before?
It looks like the Vault token you provided doesn’t have the necessary permissions. Did you give the token the permissions in the sample Vault Boundary Controller Policy in the docs?
Token is generated using the controller policy from the docs, but i think your right that its a permission issue with the token. Might be an additional permission missing that is required when using vault enterprise. Currently digging into the logs to see whats going on.
The VAULT_TOKEN environment variable could be causing a problem if it is set. Not sure if that is helpful but I thought I should mention it. Also, are you using Vault namespaces?
Louis here from the Boundary team, firstly thank you for trying Boundary! Apart from the namespace question from @mgaffney I have two quick follow up questions re your issue:
Is that the full error message you are seeing? Looking at the code, the message should be including some more detail at the end - there might be a bug that is truncating that.
The specific error you are getting happens when Boundary is trying to verify the Vault capabilities, would it be possible for you to verify being able to reach this endpoint manually, and post the response here? /sys/capabilities-self - HTTP API | Vault by HashiCorp
We are using a Vault Namespaces for each environment, full error message from the controller is below, will run the http api request and see what the output response is.
Error from controller when performing create on vault-type credential store
Error information:
Kind: Internal
Message: credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
unknown: error #0: Error making API request.
URL: POST https://****/v1/sys/capabilities-self
Code: 403. Errors:
* 1 error occurred:
* permission denied
Status: 500
context: Error from controller when performing create on vault-type credential store```
Having similar issue. Trying to connect boundary to HCP vault.
Specified admin namespace as a flag but I get permission denied.
Manually I get a response that is not permission denied.
This looks like a permission error – does the Vault token you created for Boundary have policies associated with it that allow Boundary to read the secrets it needs to?