Hello,
We have vault version v1.14.2 installed behind a loadBalancer (several nodes form a cluster)
We followed the recommended Vault appRole usage pattern to retrieve a wrapped secret-id
we created the policy as described (my-policy)
path “auth/approle/role/+/secret*” {
capabilities = [ “create”, “read”, “update” ]
min_wrapping_ttl = “100s”
max_wrapping_ttl = “300s”
}
And associated to the token we created with the following command
./vault token create -policy=my-policy -ttl=0
With the token received, we try to access the custom role secret-id, but this always gives us an error.
Code 403 or “error”: “1 error occurred:\n\t* permission denied\n\n” (in audit log)
If look the capacity of the token on the asked path, it’s OK
vault token capabilities hvs.mytoken…. auth/approle/role/my-role/secret-id
we receive the following output.
create, read, update
We’ve tried to access the resource trough cli, curl but the result is always the same
The audit log gives us “policy_results”: {
“allowed”: false
What are we doing wrong? What can we do more to find the problem ?
Best regards,
David