Introduction
This article covers some troubleshooting steps to take related to common errors when trying to authenticate to a HCP Vault auth method.
Problem
When attempting to make a login request to a HCP Vault cluster, you may receive a “missing client token” response.
Cause
The Vault Namespace is not being passed as part of the request.
Solution
The example below shows the error occurring when attempting to log into the userpass auth method using the API directly and how to resolve by passing the Namespace header, but can be applicable when logging into any auth method.
> env | grep VAULT
VAULT_ADDR=https://vault-cluster-kash.vault.11b2b4c-a26c-a176-bb23-0242ac110005.aws.hashicorp.cloud:8200
> curl \
--request POST \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpass/login/kash"
{"errors":["missing client token"]}
To resolve, pass the namespace header which should be the namespace in which the auth method you intend to log into is mounted within.
> curl \
--request POST \
--header "X-Vault-Namespace: admin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpass/login/kash"
{request_id:"abdfw893-0728-09df-4459-9bb206355e4b", "lease_id":"","renewable":false,:lease_duration":0, "data":null,"wrap_info":null,.........
> curl \
--request POST \
--header "X-Vault-Namespace: admin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpasss/login/kash"
{"errors":["missing client token"]}
(notice the extra 'a' in the Namespace)
> curl \
--request POST \
--header "X-Vault-Namespace: aadmin" \
--data @payload.json \
"$VAULT_ADDR/v1/auth/userpasss/login/kash"
{"errors":["missing client token"]}
This error can also happen with the vault agent side car injector workflow when used in Kubernetes if you do not have the vault.hashicorp.com/namespace annotation set in your config or with the vault agent auto-auth if you do not set the namespace variable in the vault agent configuration file.
Additional Information
HCP Vault requires all API requests go to a namespace - see this article for more details on this.