Introduction
Problem
When using the Terraform Vault Provider, you may encounter a permission denied or missing client token error when attempting a terraform plan or terraform apply.
Cause
- Vault token not set in
VAULT_TOKENenvironment variable, token helper.vault-tokenfile, or Terraform provider block -
auth_loginconfiguration block targeting a non-existent path
Solutions
- If the intent is to provide a token directly, ensure that the token is present in the
VAULT_TOKENenvironment variable, token helper.vault-tokenfile, or Terraform provider block -
If using the
auth_loginconfiguration block, verify that the configured path exists in Vault
Example
Here is an example when a login path is non-existent
# List auth methods in Vault
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_00850a06 token based credentials
# Provider Terraform code
provider "vault" {
auth_login {
path = "auth/approle/login"
parameters = {
role_id = "11111111-2222-3333-4444-555555555555"
secret_id = "9999999-8888-7777-6666-5555555555"
}
}
}
In this example, the auth_login configuration block was configured to use the auth/approle/login path, however the AppRole authentication method has not been enabled in Vault. A terraform plan will return an error.
Error: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:
* missing client token
with provider["registry.terraform.io/hashicorp/vault"],
on main.tf line 9, in provider "vault":
9: provider "vault" {
This is due to a Vault token not being set as an environment variable or in the token helper. The path that was targeted in the auth_login block is also invalid. If a Vault token is defined in an environment variable or in the token helper, a permission denied or * no handler for route 'auth/approle/login' could be returned based on the permissions of the Vault token.
Since the intent is to have the provider handle authentication to Vault using the configuration provided, ensure that the authentication method is enabled and configured in Vault and that a valid path is targeted. Based on the authentication method, the auth_login block may also need certain parameters such as role_id and secret_id.
# List auth methods in Vault
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
approle/ approle auth_approle_076588ae n/a
token/ token auth_token_00850a06 token based credentials
$ terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_namespace.ns1 will be created
+ resource "vault_namespace" "ns1" {
+ id = (known after apply)
+ namespace_id = (known after apply)
+ path = "ns1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
In this example, terraform plan and terraform apply commands are successful, as Terraform was able to successfully authenticate to Vault.