Introduction
Problem
When using the Vault provider for Terraform, you may encounter an error such as * missing client token
when attempting a plan or apply.
Cause
This error can be caused by the following:
- No Token set as ENV variable, in the token helper, or provider block
auth_login
targeting a non-existent path
Solutions:
- If the intent is to provide a token directly, verify its existence in the ENV variable, token helper, or provider block.
-
If using
auth_login
verify that the configured path exists in Vault
Example:
Let's look at a missing login path example:
Enabled Auth methods in Vault:
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_00850a06 token based credentials
Provider TF Code:
provider "vault" {
auth_login {
path = "auth/approle/login"
parameters = {
role_id = "11111111-2222-3333-4444-555555555555"
secret_id = "9999999-8888-7777-6666-5555555555"
}
}
}
We configured auth_login
to use the auth/approle/login
path, but we do not have an AppRole authentication method enabled in Vault. When we run terraform plan
we get the following error:
Error: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:
* missing client token
with provider["registry.terraform.io/hashicorp/vault"],
on main.tf line 9, in provider "vault":
9: provider "vault" {
We get this error when we don't have a token set as an ENV variable, or the Token Helper, and the path we targeted in the auth_login
block doesn't exist. If we define a token in the ENV variable or Token Helper, we could get a *
permission denied
or * no handler for route 'auth/approle/login'
depending on the permissions that the token has. Given that the intent here is to have the provider itself handle authenticating to Vault using the configuration we provided, the solution would be to make sure we are targeting an Auth method that exists and is configured on the Vault side, and that we are providing the correct parameters in the auth_login
block.
After configuring an AppRole Auth method and a Role, and getting the required role_id
and secret_id
we can attempt the plan again:
$ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
approle/ approle auth_approle_076588ae n/a
token/ token auth_token_00850a06 token based credentials
$ terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_namespace.ns1 will be created
+ resource "vault_namespace" "ns1" {
+ id = (known after apply)
+ namespace_id = (known after apply)
+ path = "ns1"
}
Plan: 1 to add, 0 to change, 0 to destroy.
We can see that we were able to successfully authenticate and execute a plan.
Outcome
Ability to successfully run a plan/apply.