Introduction
We'll walk you through address errors which are related to the HCP requirement of the namespace header when when trying to interact with the HCP Vault API.
Problem
When attempting to make a login request to a HCP Vault cluster using the API directly, you may receive a “missing client token” response. The Namespace header is not passed as part of the request.
Cause
The vault namespace header is not passed as part of the request.
Solution
The example below shows the error occurring when logging into the userpass auth method using the API directly and how to resolve by passing the Namespace header, however, this is applicable to logging into any auth method via the API directly.
> env | grep VAULT
VAULT_ADDR=https://vault-cluster-kash.vault.11b2b4c-a26c-a176-bb23-0242ac110005.aws.hashicorp.cloud:8200
> curl \
--request POST \
--data @payload.json \
"VAULT_ADDR/v1/auth/userpass/login/kash"
{"errors":["missing client token"]}
The same error can occur if you attempt to log into a path which doesn’t exist. Sometimes if you mistype the path in the URL, this can happen as seen in the example error below.
To resolve, pass the namespace header which should be the namespace in which the auth method you intend to log into is mounted within and the path should be a valid one.
> curl \
--request POST \
--header "X-Vault-Namespace: admin" \
--data @payload.json \
"VAULT_ADDR/v1/auth/userpass/login/kash"
{request_id:"abdfw893-0728-09df-4459-9bb206355e4b", "lease_id":"","renewable":false,:lease_duration":0, "data":null,"wrap_info":null,.........
This error can also happen with the vault agent side car injector workflow when used in Kubernetes if you do not have the vault.hashicorp.com/namespace annotation set in your config.
This error can also happen with the vault agent auto-auth if you do not set the namespace variable in your config (method block).
Additional Information
HCP Vault requires all requests go to a namespace - see this article for more details on this.