Problem
When attempting to import a Vault resource that exists within a namespace, you may encounter a permission denied error.
$ terraform import vault_mount.test testmount │ Error: error reading from Vault: Error making API request. │ │ Namespace: MyNamespace │ URL: GET https://<vault-host>:8200/v1/sys/mounts │ Code: 403. Errors: │ │ * 1 error occurred: │ * permission denied │
Cause
The Terraform Vault provider typically uses the VAULT_NAMESPACE environment variable for its operations. However, for import operations involving namespaced resources, a specific environment variable, TERRAFORM_VAULT_NAMESPACE_IMPORT, is required.
Solution
To successfully import the namespaced resource, you must set the TERRAFORM_VAULT_NAMESPACE_IMPORT environment variable before running the import command.
-
Set the
TERRAFORM_VAULT_NAMESPACE_IMPORTenvironment variable to the target Vault namespace.$ export TERRAFORM_VAULT_NAMESPACE_IMPORT=MyNamespace
-
Run the
terraform importcommand for the resource.$ terraform import vault_mount.test testmount
-
Unset the environment variable after the import is complete to avoid affecting other Terraform operations.
$ unset TERRAFORM_VAULT_NAMESPACE_IMPORT
Outcome
After setting the specific environment variable for the import operation, the resource should import into the Terraform state successfully.
Additional Information
- For more details, refer to the Vault provider documentation on Importing Namespaced Resources.