Vault - transit - permission denied with root token

alexballas · March 23, 2021, 11:32pm

Hello all,

I’ve been testing out the Cloud Vault solution and specifically the transit secret engine. After I generated a token to access the vault cluster from the hashicorp interface I created a my-key as per the examples with no issues from the CLI

$ ./vault write -f transit/keys/my-key
Success! Data written to: transit/keys/my-key

However when I try with the API I get

curl --header "X-Vault-Token: ROOT_TOKEN_HERE"https://PUBLIC_URL_HERE:8200/v1/transit/keys/my-key
{“errors”:[“1 error occurred:\n\t* permission denied\n\n”]}

$ ./vault token lookup ROOT_TOKEN_HERE
.
.
.
path auth/token/create
policies [default hcp-root]
renewable false
ttl 2h12m53s
type service

What am I missing here? I tried created a new policy just with the transit permissions but still no luck.

alexballas · March 24, 2021, 7:34pm

I managed to solve this issue. I was missing the X-Vault-Namespace header

support · July 19, 2021, 3:54am

this took me forever to figure out… they should really have this in the documentation

Topic		Replies	Views
Permission denied using admin token Vault	6	1648	June 18, 2021
Hashicorp Vault - Permission denied in API While Succcess In CLI Vault	1	584	September 16, 2022
Moved to new Node Group and now get permission denied with root token Vault k8s	1	183	September 7, 2023
Vault Error Error making API request Code: 403 Permission Denied HCP Vault hashiconf , hcp-terraform , vault , consul-vault	1	2220	October 23, 2023
Getting permission denied when using a token generated in Hashicorp vault Vault	7	9137	March 21, 2022

Vault - transit - permission denied with root token

Related topics