Introduction
If you try to use Vault CLI with HCP Vault without setting the namespace environment variable to a valid namespace, you may receive a permission denied error. One example could be if you have generated admin token for your HCP Vault cluster and tried to use it with Vault CLI without setting the admin namespace, you will receive a permission denied error message as seen in the snippet further below.
~ ❯ vault auth enable aws
Error enabling aws auth: Error making API request.
URL: POST https://vault-cluster-kash.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200/v1/sys/auth/aws
Code: 403. Errors:
* 1 error occurred:
* permission denied
Use Case
When using Vault CLI with HCP Vault ensure the namespace is configured to be used by the CLI.
Make sure the VAULT_NAMESPACE environment variable is set to “admin” (export VAULT_NAMESPACE=admin) or to a valid namespace within admin/
If a namespace is not set, Vault CLI will send requests to the root namespace by default which is not accessible in HCP Vault.
~ ❯ env | grep VAULT
VAULT_TOKEN=<REDACTED>
VAULT_ADDR=https://vault-cluster-kash.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200
~ ❯ export VAULT_NAMESPACE=admin
~ ❯ vault auth enable aws
Success! Enabled aws auth method at: aws/
You can also pass the namespace as a parameter to the CLI command as seen below
~ ❯ vault auth enable -ns=admin aws
Success! Enabled aws auth method at: aws/
Additional Links
https://www.vaultproject.io/docs/enterprise/namespaces#usage
https://cloud.hashicorp.com/docs/vault/constraints-and-known-issues