terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
[Provider] [Approle] Can't get Approle Token when run all
Hi!
I have the next workflow:
Pass token with only access to get the role-id an secret-id of an approle in variables (from terraform cloud). And then, with the token of the approle, run all the pipeline
Code:
# GET VAULT APPROLE SECRET AND ID
provider "vault" {
alias = "token"
}
data "vault_approle_auth_backend_role_id" "role" {
provider = vault.token
backend = "approle"
role_name = "terraform-${var.stage}"
}
resource "vault_approle_auth_backend_role_secret_id" "id" {
provider = vault.token
backend = "approle"
role_name = "terraform-${var.stage}"
}
resource "vault_approle_auth_backend_login" "login" {
provider = vault.token
backend = "approle"
role_id = data.vault_approle_auth_backend_role_id.role.role_id
secret_id = vault_approle_auth_backend_role_secret_id.id.secret_id
}
# CONFIGURE VAULT PROVIDER
provider "vault" {
token = vault_approle_auth_backend_login.login.client_token
token_name = "${var.stage}-terraform"
}
data "vault_aws_access_credentials" "creds" {
backend = "aws"
role = "${var.stage}-terraform-assumed_role"
type = "sts"
}
provider "aws" {
region = var.region
access_key = data.vault_aws_access_credentials.creds.access_key
secret_key = data.vault_aws_access_credentials.creds.secret_key
token = data.vault_aws_access_credentials.creds.security_token
}
The problem is, when I run terraform apply, the vault provider (without alias) use the token of the first provider (aliased) and the pipeline fails. But if I run first terraform apply -target=vault_approle_auth_backend_login.login and then I run all terraform apply It works.
In the first run (failed one) the output is:
Error: error reading from Vault: Error making API request.
URL: GET https://vault.example.com/v1/aws/sts/stage-terraform-assumed_role?role_arn=
Code: 403. Errors:
* 1 error occurred:
* permission denied
on providers.tf line 42, in data "vault_aws_access_credentials" "creds":
42: data "vault_aws_access_credentials" "creds" {
It is because is using the token which only has permission to get approle credentials.
Terraform version:
Terraform v0.13.4
+ provider registry.terraform.io/hashicorp/aws v3.11.0
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/vault v2.15.0
Thanks
While this is an old issue I have a very similar setup and am getting the same exact error with an aws sts role
I have solved my issue and I think that we potentially need to change the provider to match the documentation or change the documentation to match the provider. The documentation for API requests for AWS credentials uses POST for getting STS credentials in which the following policy should work to accommodate these POST calls to get STS credentials.
path "${path}"
{
capabilities = ["create", "update"]
}
After running into the same exact 403 error that @ichasco was getting I took a look around and added read to the policy after which everything magically worked. My final and working policy was the following.
path "${path}"
{
capabilities = ["create", "read", "update"]
}
It appears that since the provider uses GET requests it causes 403's with a policy what does work if you follow the API spec with a curl call or some network tool but fails if you use that same working policy for the Vault provider.