Terraform import from Vault Namespaces fails using the Vault Provider for Terraform

Problem

When you run terraform import for a Vault identity group that resides in a Vault namespace, the operation fails with a permission denied error.

Example Error

You may see the following command and output.

$ VAULT_GID="group-id-placeholder"
$ export VAULT_NAMESPACE=test
$ terraform import vault_identity_group.groups $VAULT_GID

vault_identity_group.groups: Importing from ID "group-id-placeholder"...
vault_identity_group.groups: Import prepared!
Prepared vault_identity_group for import
vault_identity_group.groups: Refreshing state... [id=group-id-placeholder]
╷
│ Error: failed to lookup token, err=Error making API request.
│
│ Namespace: test
│ URL: GET https://vault.hashicorp.cloud:8200/v1/auth/token/lookup-self
│ Code: 403. Errors:
│
│ * 1 error occurred:
│ * permission denied

Prerequisites

• Vault Enterprise with namespaces
• Terraform CLI
• HashiCorp Vault provider for Terraform

Cause

The terraform import command for the Vault provider requires a specific environment variable, TERRAFORM_VAULT_NAMESPACE_IMPORT, to target the correct namespace for the resource being imported. Using the general VAULT_NAMESPACE variable causes the provider to attempt authentication against the wrong namespace during the import, leading to a permission error.

Solution

To resolve this issue, you must set the TERRAFORM_VAULT_NAMESPACE_IMPORT environment variable to the name of the Vault namespace containing the resource you wish to import.

1. Unset the VAULT_NAMESPACE variable if it is currently set.

   $ unset VAULT_NAMESPACE

2. Set the TERRAFORM_VAULT_NAMESPACE_IMPORT variable to your target namespace.

   $ VAULT_GID="group-id-placeholder"
   $ export TERRAFORM_VAULT_NAMESPACE_IMPORT=test

3. Run the terraform import command again.

   $ terraform import vault_identity_group.groups $VAULT_GID

Outcome

The import command should now complete successfully. The command output will confirm the successful import.

vault_identity_group.groups: Importing from ID "group-id-placeholder"...
vault_identity_group.groups: Import prepared!
Prepared vault_identity_group for import
vault_identity_group.groups: Refreshing state... [id=group-id-placeholder]

Import successful!

The resources that were imported are shown above. These resources are now in your Terraform state.

After a successful import, the Vault identity group is now managed in your Terraform state.

Additional Information

• Vault Provider for Terraform: Namespace Support
• Vault Provider for Terraform: vault_identity_group Resource