search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

Approle permission denied on version 4.0.0 #2197

Closed sergeyrudenko111 closed 3 months ago

sergeyrudenko111 commented 3 months ago

Terraform Core Version

1.7.5

Terraform Vault Provider Version

4.0.0

Vault Server Version

1.15.6

Affected Resource(s)

vault_auth_backend

Expected Behavior

Being able to read from data source vault_auth_backend.

Actual Behavior

permission denied, works on 3.25.0

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

data "vault_policy_document" "approle_readwrite" {
  rule {
    path         = "sys/auth"
    capabilities = ["create", "read", "update", "delete", "list"]
  }

  rule {
    path         = "auth/approle/role/*"
    capabilities = ["create", "read", "update", "delete", "list"]
  }
}

Steps to Reproduce

change the policy path for Approle Auth method from sys/auth to sys/auth/approle doesn't work

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

fairclothjm commented 3 months ago

@sergeyrudenko111 Thanks for reporting and I am sorry you are having trouble. For now you can update your capabilities to include sudo. This should prevent permission denied on vault_auth_backend.

We are working to remove the sudo requirement for auth paths in the upcoming release. However you will need to update your policy path to use sys/mounts/auth/*.