Introduction
This article covers some troubleshooting steps to take related to common errors when trying to authenticate to a run Vault CLI commands with HCP Vault.
Problem
When attempting to run Vault CLI commands with HCP Vault, you receive a {"errors":["permission denied"]} error.
Cause
The Vault Namespace is not exported as a environment variable.
Use Case
One example could be if you have generated admin token for your HCP Vault cluster and tried to use it with Vault CLI without setting the admin namespace, you will receive a permission denied error message as seen in the snippet further below.
~ ❯ vault auth enable aws
Error enabling aws auth: Error making API request.
URL: POST https://vault-cluster-kash.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200/v1/sys/auth/aws
Code: 403. Errors:
* 1 error occurred:
* permission denied
Solution
When using Vault CLI with HCP Vault ensure the namespace is configured to be used by the CLI.
Make sure the VAULT_NAMESPACE environment variable is set to “admin” (export VAULT_NAMESPACE=admin) or to a valid namespace within admin/
If a namespace is not set, Vault CLI will send requests to the root namespace by default which is not accessible in HCP Vault.
~ ❯ env | grep VAULT
VAULT_TOKEN=<REDACTED>
VAULT_ADDR=https://vault-cluster-kash.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200
~ ❯ export VAULT_NAMESPACE=admin
~ ❯ vault auth enable aws
Success! Enabled aws auth method at: aws/
You can also pass the namespace as a parameter to the CLI command as seen below
~ ❯ vault auth enable -ns=admin aws
Success! Enabled aws auth method at: aws/
Additional Links
No Access to Root Namespace with HCP Vault
Permission denied when making CURL auth (login) request with HCP Vault