vault/ ERROR: `* role "tfc-role" could not be found`

[drewmullen]

Thanks for providing these examples! I built the vault/ resources with only 1 small change, updatedsecret/* to aws/* in the role policy. Everything deployed successfully.

However, when I try to have tfc workspace grab creds from my aws secret engine i get the following error:

ERROR:

Operation failed: failed authenticating to Vault: Error making API request.

URL: PUT https://<>:8200/v1/auth/jwt/login
Code: 400. Errors:

* role "tfc-role" could not be found

HCL to to have TFC call vault for aws creds. I've tested this using a vault token locally (removing the cloud{} and it worked fine

data "vault_aws_access_credentials" "creds" {
  backend = "aws"
  role    = "tfadmin"
}

provider "aws" {
  region     = "us-east-1"
  access_key = data.vault_aws_access_credentials.creds.access_key
  secret_key = data.vault_aws_access_credentials.creds.secret_key
}

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"
}

terraform {
  cloud {
    organization = "<>"

    workspaces {
      name = "my-vault-workspace"
    }
  }
}

$ vault list auth/jwt/role
Keys
----
tfc-role

$ vault list aws/roles
Keys
----
tfadmin

Hopefully I'm not missing something easy! Seems to me the issue is at the authn stage, prior to any setup with the secret engine. Any help would be appreciated!

[drewmullen]

This has to do with missing the default namespace from HCP vault. ill send a PR to make this a little more intuitive for HCP users

[mpminardi]

Hey @drewmullen! Apologies for the delayed response here. Thanks for the callout on the missing default namespace, will look at getting this added to the Vault example.

On another note, the Vault-backed AWS example configuration is the (newly) supported way of using Vault dynamic credentials in conjunction with the AWS secrets engine and might be what you want here!