Vault - transit - permission denied with root token

Hello all,

I’ve been testing out the Cloud Vault solution and specifically the transit secret engine. After I generated a token to access the vault cluster from the hashicorp interface I created a my-key as per the examples with no issues from the CLI

$ ./vault write -f transit/keys/my-key
Success! Data written to: transit/keys/my-key

However when I try with the API I get

curl --header "X-Vault-Token: ROOT_TOKEN_HERE"https://PUBLIC_URL_HERE:8200/v1/transit/keys/my-key
{“errors”:[“1 error occurred:\n\t* permission denied\n\n”]}

$ ./vault token lookup ROOT_TOKEN_HERE
path auth/token/create
policies [default hcp-root]
renewable false
ttl 2h12m53s
type service

What am I missing here? I tried created a new policy just with the transit permissions but still no luck.

I managed to solve this issue. I was missing the X-Vault-Namespace header

1 Like

this took me forever to figure out… they should really have this in the documentation