Introduction
Login MFA in Vault includes multiple login types, one being Okta. A necessary parameter when configuring the MFA method is an API token. This article will clarify what Okta permissions are required from the API token.
Procedure
If the API token does not have enough permissions in Okta, the login MFA in Vault will fail. Below is an example error, if the API token is the cause:
Error making API request.
URL: POST https://vaultaddr:8200/v1/sys/mfa/validate
Code: 403. Errors:
* failed to satisfy enforcement vault-okta. error: 2 errors occurred:
* the API returned an error: You do not have permission to perform the requested action
* login MFA validation failed for methodID: [e7824907-9365-c830-b0be-41969dae78b9]
The Read-only Admin Okta role tied to an API token is sufficient when using the Okta auth method in Vault. However, when using the login MFA feature, additional permissions are necessary. The reset users' authenticators Okta role permission is also required for the API token used in Vault.
Additional Information
Vault Login MFA Docs: https://developer.hashicorp.com/vault/docs/auth/login-mfa
Login MFA Tutorial: https://developer.hashicorp.com/vault/tutorials/auth-methods/multi-factor-authentication
Okta Role Permissions: https://help.okta.com/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm