Problem
When attempting to run Vault CLI commands with HCP Vault, you receive a {"errors":["permission denied"]}
Error.
Cause
The Vault Namespace is not exported as an environment variable.
Use Case
One example could be if you have generated an admin token for your HCP Vault cluster and tried to use it with Vault CLI without setting the admin namespace, you will receive a permission denied error message, as seen in the snippet below.
~ ❯ vault auth enable jwt
Error enabling jwt auth: Error making API request.
Namespace: admin/
URL: POST https://vault-public-vault-c3635169.ccc36048.z1.hashicorp.cloud:8200/v1/sys/auth/jwt
Code: 403. Errors:
* permission denied
Solution
When using Vault CLI with HCP Vault, ensure the namespace is configured for use by the CLI.
Make sure the VAULT_NAMESPACE
An environment variable is set to “admin” (export VAULT_NAMESPACE=admin
) or to a valid namespace within admin/
If a namespace is not set, Vault CLI will send requests to the root namespace by default, which is inaccessible in HCP Vault.
~ ❯ env | grep VAULT
VAULT_TOKEN=<REDACTED>
VAULT_ADDR=https://vault-public-vault-c3635169.ccc36048.z1.hashicorp.cloud:8200
~ ❯ export VAULT_NAMESPACE=admin
~ ❯ vault auth enable jwt
Success! Enabled jwt auth method at: jwt/
You can also pass the namespace as a parameter to the CLI command, as seen below
~ ❯ vault auth enable -ns=admin jwt
Success! Enabled jwt auth method at: jwt/
Additional Links
No Access to Root Namespace with HCP Vault
Permission denied when making CURL auth (login) request with HCP Vault
Leave a Reply