Introduction
Problem
After the upgrade to Vault 1.20.0 or Vault 1.20.1, the Vault Terraform Secrets Engine is not generating user tokens anymore.
Prerequisites (if applicable)
- Vault 1.20 or Vault 1.20.1
- Terraform Secrets Plugin v0.12.0+builtin
- Terraform enterprise
- Terraform cloud
Cause
After the upgrade no token is being generated.
vault read terraform/creds/my-user Key Value --- ----- organization n/a role my-user team_id n/a token n/a token_id n/a
- The Vault operational logs do not contain any relevant error messages
- The Terraform log do not contain any relevant error messages
Looking at the affected role using the sys/raw endpoint reveals that "credential_type":"user" is missing from the affected roles:
vault read /sys/raw/logical/806c3711-462e-0a80-6292-b31b8f3690eb/role/my-user
Key Value
value {"name":"my-user","user_id":"user-xxxxxxxxx","ttl":120000000000,"max_ttl":0}
This is the expected output:
vault read /sys/raw/logical/806c3711-462e-0a80-6292-b31b8f3690eb/role/my-user
Key Value
value {"name":"my-user","user_id":"user-xxxxxxxxx","ttl":120000000000,"max_ttl":0,"credential_type":"user"}
Overview of possible solutions (if applicable)
Solutions:
-
The issue has been reported to Vault Engineering and the issue is planned to be resolved in a future version of the Vault Terraform Secrets Engine Plugin, please monitor the Vault Changelog for plugin updates.
-
The current workaround is to rewrite the role configuration to and affected role, for example:
vault write terraform/role/my-user user_id=user-xxxxxxx ttl=2m
Outcome
After rewriting the role configuration, tokens are being returned as expected:
vault read terraform/creds/my-user Key Value --- ----- lease_id terraform/creds/my-user/5REoxDngtAE3MbAWQXL2AahG lease_duration 2m lease_renewable true token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx token_id at-xxxxxxxxxxxxxxxxxxx
Additional Information
-
Vault Changelog
-
Vault Documentation: HCP Terraform secrets engine