Hi.
I am using a vault approle auth_login in a TF provider template as follows.
provider "vault" {
alias = "base"
address = local.vault_address
namespace = local.vault_base_namespace
auth_login {
path = "auth/jenkins_ci/login"
namespace = local.vault_base_namespace
parameters = {
role_id = var.login_approle_role_id
secret_id = var.login_approle_secret_id
}
}
}
provider "vault" {
alias = "bootstrap"
address = local.vault_address
namespace = local.vault_bootstrap_namespace
//namespace = join ("/", [ local.vault_base_namespace, local.vault_bootstrap_namespace ])
auth_login {
path = "auth/jenkins_ci/login"
namespace = local.vault_base_namespace
parameters = {
role_id = var.login_approle_role_id
secret_id = var.login_approle_secret_id
}
}
}
However i am getting the following error
Error: error retrieving list of mounts: Error making API request.
β
β URL: GET https://vault.example.com/v1/sys/mounts
β Code: 403. Errors:
β
β * 1 error occurred:
β * permission denied
β
β
β
β with module.vault-bootstrap.vault_aws_secret_backend.aws,
β on ../modules/vault-bootstrap/main.tf line 6, in resource "vault_aws_secret_backend" "aws":
β 6: resource "vault_aws_secret_backend" "aws" {
resource "vault_aws_secret_backend" "aws" {
provider = vault.bootstrap
access_key = var.aws_access_key
secret_key = var.aws_secret_key
path = var.aws_account_number
region = var.aws_region
default_lease_ttl_seconds = var.default_lease_ttl_aws_seconds
max_lease_ttl_seconds = var.max_lease_ttl_aws_seconds
depends_on = [ vault_namespace.bootstrap_namespace ]
}
I am trying to create a aws secrets backend under a sub namespace with that Token form the base namespace. for eg. Base_namespace is base and sub_namespace is ns1 as an example . Donno if i am missing anything in the approle policy.?
path "azure/creds/azure-dynamic-creds" {
capabilities = ["read"]
}
# List sys/mounts/
path "sys/mounts" {
capabilities = ["read"]
}
# Create and manage secrets engines broadly across Vault.
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# List auth methods
path "sys/auth" {
capabilities = ["read"]
}
# Create, update, and delete auth methods
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "sudo"]
}
# AWS secrets engine
path "aws/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# AWS secrets engine
path "sys/namespaces/*/aws" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/leases/lookup/*" {
capabilities = ["list", "sudo"]
}
path "sys/leases/lookup" {
capabilities = ["read"]
}
path "+/auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "+/sys/auth*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "+/sys/policies/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "+/sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/namespaces/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policies/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List available secrets engines
path "+/sys/mounts" {
capabilities = ["read"]
}
#Terraform tries to create a subtoken
path "auth/token/create" {
capabilities = ["create", "update"]
}
# Terraform looks up the token used. Vault CLI does
# not require this capability
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "+/+/data/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "global/*" {
capabilities = ["read", "list"]
}
path "development/*" {
capabilities = ["read", "list"]
}
I am trying to use the Token from a Vault AppRole created in the basenamespace to create resources in the sub namespace
Regards,
Kevin