Introduction
Problem
When using the Terraform Vault Provider, you may encounter a permission denied
or missing client token
error when attempting a terraform plan
or terraform apply
.
Cause
- Vault token not set in
VAULT_TOKEN
environment variable, token helper.vault-token
file, or Terraform provider block -
auth_login
configuration block targeting a non-existent path
Solutions
- If the intent is to provide a token directly, ensure that the token is present in the
VAULT_TOKEN
environment variable, token helper.vault-token
file, or Terraform provider block -
If using the
auth_login
configuration block, verify that the configured path exists in Vault
Example
Here is an example when a login path is non-existent
# List auth methods in Vault
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_00850a06 token based credentials
# Provider Terraform code
provider "vault" {
auth_login {
path = "auth/approle/login"
parameters = {
role_id = "11111111-2222-3333-4444-555555555555"
secret_id = "9999999-8888-7777-6666-5555555555"
}
}
}
In this example, the auth_login
configuration block was configured to use the auth/approle/login
path, however the AppRole authentication method has not been enabled in Vault. A terraform plan
will return an error.
Error: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:
* missing client token
with provider["registry.terraform.io/hashicorp/vault"],
on main.tf line 9, in provider "vault":
9: provider "vault" {
This is due to a Vault token not being set as an environment variable or in the token helper. The path that was targeted in the auth_login
block is also invalid. If a Vault token is defined in an environment variable or in the token helper, a permission denied
or * no handler for route 'auth/approle/login'
could be returned based on the permissions of the Vault token.
Since the intent is to have the provider handle authentication to Vault using the configuration provided, ensure that the authentication method is enabled and configured in Vault and that a valid path is targeted. Based on the authentication method, the auth_login
block may also need certain parameters such as role_id
and secret_id
.
# List auth methods in Vault
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
approle/ approle auth_approle_076588ae n/a
token/ token auth_token_00850a06 token based credentials
$ terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_namespace.ns1 will be created
+ resource "vault_namespace" "ns1" {
+ id = (known after apply)
+ namespace_id = (known after apply)
+ path = "ns1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
In this example, terraform plan
and terraform apply
commands are successful, as Terraform was able to successfully authenticate to Vault.