-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault provider does not use namespace creating child token #602
Comments
Same issue here. Config: provider "vault" {
address = "https://my.vault.domain:8200"
namespace = "org/suborg/mynamespace"
auth_login {
path = "auth/k8s-test/login"
parameters = {
role = "my-k8s-role"
jwt = var.jwt
}
}
} |
Hey OP, the issue is that the Vault provider documentation is lacking. You need to also put your namespace inside the auth_login block. We found this out by looking at the source code. provider "vault" {
address = "https://my.vault.domain:8200"
namespace = "org/suborg/mynamespace"
auth_login {
path = "auth/k8s-test/login"
namespace = "org/suborg/mynamespace"
parameters = {
role = "myrole"
jwt = var.jwt
}
}
} |
thanks @Clete2 for your workaround. However it's not working for me. That maybe works if the approle login-method is mounted in the specified workspace. However |
@matteomazza91 in 2.11.0 version headers configuration setting was added (#730). It allows adding additional HTTP headers to all requests. It's useful in such a case, with which you (and me) are faced. |
@m0ps trying it out in 2.18.0 and it doesn't work. I've tried specifying the header in the provider's configuration, but the one I see being used in trace logs is still empty. I can't seem to find the code where the call is actually manufactured, the interesting point is that the |
This is still an issue. This is particularly insidious because the original error message would serve no indication of what the problem is. I was having an issue with AppRole login and, because of the error message, I went down multiple different paths to try and solve the issue:
It was only I used
Number 3 there is particularly maddening because this worked perfectly the first time when I spun up a dev instance of vault but, because I'm not the admin of the enterprise vault, I cannot easily get a key for enterprise. Furthermore, specifying the
The trace logs show the Bogus Header but not the namespace header:
So, clearly, there is a bug here. The proof is that the provider is, quite clearly, handling the |
Hi @browley86 , sorry to hear that you are having issues with the provider. I believe that #1830 will resolve this issue, since it will take the namespace from The provider handles the |
Fixed in #1830 |
Terraform Version
Terraform v0.12.6
Terraform Configuration Files
main.tf
./modules/vault/main.tf
Debug Output
Expected Behavior
set
X-Vault-Namespace
in/v1/auth/token/create
call.Actual Behavior
X-Vault-Namespace
is not setSteps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
References
possibly related issue:
The text was updated successfully, but these errors were encountered: