Permission denied when making CURL auth (login) request with HCP Vault

Avatar
Kash Patel
  • Updated

Introduction

This article covers some troubleshooting steps to take related to common errors when trying to authenticate to an HCP Vault auth method. 

Problem

When attempting to make a login request to an HCP Vault cluster, you may receive a {"errors":["permission denied"]} response. 

Cause

The Vault Namespace is not being passed as part of the request.

Solution

Missing Namespace

The example below shows the error that occurs when attempting to log into the userpass auth method using the API directly and how to resolve it by passing the Namespace header but can be applicable when logging into any auth method. 

> env | grep VAULT
VAULT_ADDR=https://vault-cluster-kash.vault.11b2b4c-a26c-a176-bb23-0242ac110005.aws.hashicorp.cloud:8200

> curl \
--request POST \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpass/login/kash"
{"errors":["permission denied"]}


To resolve, pass the namespace header which should be the namespace in which the auth method you intend to log into is mounted within.

> curl \
--request POST \
--header "X-Vault-Namespace: admin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpass/login/kash"
{request_id:"abdfw893-0728-09df-4459-9bb206355e4b", "lease_id":"","renewable":false,:lease_duration":0, "data":null,"wrap_info":null,.........

Misspelled Namespace/Login Path

It is still possible to receive the "permission denied" error even when passing the Namespace if the Namespace or mount (login) path is mistyped as seen in the examples below. 
(notice extra 's' in the login path)
> curl \ 
--request POST \
--header "X-Vault-Namespace: admin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpasss/login/kash"
{"errors":["permission denied"]}

(notice the extra 'a' in the Namespace)

> curl \ 
--request POST \
--header "X-Vault-Namespace: aadmin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpass/login/kash"
{"errors":["permission denied"]}

Vault Agent Sidecar Injector

This error can also happen with the vault agent side car injector workflow when used in Kubernetes if you do not have the vault.hashicorp.com/namespace annotation set in your config or with the vault agent auto-auth if you do not set the namespace variable in the vault agent configuration file.

Additional Information

HCP Vault requires all API requests go to a namespace - see this article for more details on this.

HCP Namespace Considerations

Vault Enterprise Namespaces

No Access to Root Namespace with HCP Vault

Permission denied using Vault CLI with HCP Vault

Articles in this section

See more

Related articles