vault_approle_auth_backend_login doesn't work, unless you already have a Vault token.

hashicorp / terraform-provider-vault

Terraform Vault provider

https://www.terraform.io/docs/providers/vault/

Mozilla Public License 2.0

458 stars 539 forks source link

vault_approle_auth_backend_login doesn't work, unless you already have a Vault token. #346

Open darnold-harness opened 5 years ago

darnold-harness commented 5 years ago

Terraform Version

Terraform v0.11.13

provider.google v2.2.0
provider.vault v1.6.0

Affected Resource(s)

vault_approle_auth_backend_login

Terraform Configuration Files

resource "vault_approle_auth_backend_login" "login" {
  backend   = "approle"
  role_id   = "${var.approle_role_id}"
  secret_id = "${var.approle_secret_id}"
}

provider "vault" {
    alias = "vault_approle"
    token = "${vault_approle_auth_backend_login.login.client_token}"
}

Debug Output

Error: Error refreshing state: 1 error(s) occurred:

provider.vault: no vault token found

cvbarros commented 5 years ago

Hi @darnold-harness, what you're trying to achieve is not possible - terraform has to initialize the provider before it can provision any resources. So you got a chicken and egg situation here.

I suggest you wrap your terraform plan/apply cycle from the context you're trying to login using AppRole by providing the token as a input variable to your configuration. You can do that by leveraging Vault's CLI and some wrapper script to your terraform commands.

cvbarros commented 5 years ago

@tyrannosaurus-becks Recommendation: Close

darnold-harness commented 5 years ago

So, what is the purpose of the approle login?

cvbarros commented 5 years ago

To grab a token using the approle auth method. You could then use that token in many other contexts other than Vault - to provision a machine, for example and inject the token to it.

But how could you grab a token with this provider if in order to initialize the provider and provision a resource that would require the creation of a child token, from another token? I don't believe this is meant to be used as a "passthrough" to apply Terraform - unless you use different modules, and that would be a similar approach to wrapping plan/apply. Either way, you'd need a token as a starting point - that is just the way the Terraform and this provider works. Potentially, the provider authentication could be revamped, but it's a totally different matter and would require large scale changes to the codebase.

MichaelSmyth0184 commented 5 years ago

Yeah I am currently having this problem too, makes the Approle sort of useless then If your having to provider a token to begin with for the Vault provider just so you can retrieve another token? Makes no sense to me tbh.