provider.vault: failed to create limited child token: Post https://site:8200/v1/auth/token/create
2,144 views
Skip to first unread message
walker.h...@gmail.com
Dec 29, 2017, 2:15:48 PM12/29/17
to Terraform
Im more familiar with Vault than I am with Terraform oddly enough, but Ive been working to use terraform more and more, so I was going though what appears to be a very simple configuration but I have an error and im stuck. Any advice would be appreciated.
Thank you.
I can successfully use vault cli to access vault from the terraform server, network, DNS, certs arent apparently an issue. There are no proxy servers between A and B
Ive tested with a 2nd tier root token in terraform to get the below. I tested the root toke by being authenticated with said token using CLI
manually run vault read secretMountName/creds/rolename using the token, it was a success
(The ERROR)
Config:
(info from terrafrom init)
* provider.aws: version = "~> 1.6"
Thank you.
I can successfully use vault cli to access vault from the terraform server, network, DNS, certs arent apparently an issue. There are no proxy servers between A and B
Ive tested with a 2nd tier root token in terraform to get the below. I tested the root toke by being authenticated with said token using CLI
manually run vault read secretMountName/creds/rolename using the token, it was a success
(The ERROR)
Error: Error refreshing state: 1 error(s) occurred:
* provider.vault: failed to create limited child token: Post https://site:8200/v1/auth/token/create: Proxy Error
Config:
(info from terrafrom init)
* provider.aws: version = "~> 1.6"
* provider.vault: version = "~> 1.0"
(Provider.tf)
provider "vault" {
address = "${var.vault_site_url}"
token = "${var.vault_token}"
}
data "vault_aws_access_credentials" "creds" {
backend = "${var.vault_aws_secret_backend_path}"
role = "${var.vault_aws_secret_backend_role}"
}
provider "aws" {
# access_key = "${var.aws_access_key_id}"
# secret_key = "${var.aws_secret_access_key}"
access_key = "${data.vault_aws_access_credentials.creds.access_key}"
secret_key = "${data.vault_aws_access_credentials.creds.secret_key}"
region = "${var.aws_region}"
}
############### Vault Configuration ##################
variable "vault_aws_secret_backend_path" {}
variable "vault_aws_secret_backend_role" {}
variable "vault_token" {}
variable "vault_site_url" {}
(terraform.tfvars)
(terraform.tfvars)
############### Vault Configuration ##################
vault_aws_secret_backend_path = "SecretMountName"
vault_aws_secret_backend_role = "RoleName"
vault_token = "RootToken"
vault_site_url = "https://site.com:8200"
(Debug Log Info)
var.vault_aws_secret_backend_path - *terraform.NodeRootVariable
var.vault_aws_secret_backend_role - *terraform.NodeRootVariable
var.vault_site_url - *terraform.NodeRootVariable
var.vault_token - *terraform.NodeRootVariable
var.web_ami - *terraform.NodeRootVariable
var.web_instance_type - *terraform.NodeRootVariable
2017/12/29 19:05:37 [DEBUG] Starting graph walk: walkRefresh
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: 2017/12/29 19:05:37 [DEBUG] Vault API Request Details:
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: ---[ REQUEST ]---------------------------------------
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: POST /v1/auth/token/create HTTP/1.1
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Host: Site.com:8200
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: User-Agent: Go-http-client/1.1
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Content-Length: 101
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: X-Vault-Token: ******VaultRootToken*******
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Accept-Encoding: gzip
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:37.536Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: -----------------------------------------------------
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: 2017/12/29 19:05:38 [DEBUG] Vault API Request Details:
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: ---[ REQUEST ]---------------------------------------
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: POST /v1/auth/token/create HTTP/1.1
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Host: Site.com:8200
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: User-Agent: Go-http-client/1.1
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Content-Length: 101
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: X-Vault-Token: ******VaultRootToken*******
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Accept-Encoding: gzip
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:38.725Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: -----------------------------------------------------
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: 2017/12/29 19:05:40 [DEBUG] Vault API Request Details:
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: ---[ REQUEST ]---------------------------------------
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: POST /v1/auth/token/create HTTP/1.1
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Host: Site.com:8200
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: User-Agent: Go-http-client/1.1
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Content-Length: 101
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: X-Vault-Token: ******VaultRootToken*******
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: Accept-Encoding: gzip
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4:
2017-12-29T19:05:40.867Z [DEBUG] plugin.terraform-provider-vault_v1.0.0_x4: -----------------------------------------------------
2017/12/29 19:05:40 [ERROR] root: eval: *terraform.EvalConfigProvider, err: failed to create limited child token: Post https://Site.com:8200/v1/auth/token/create: Proxy Error
2017/12/29 19:05:40 [ERROR] root: eval: *terraform.EvalSequence, err: failed to create limited child token: Post https://Site.com:8200/v1/auth/token/create: Proxy Error
2017/12/29 19:05:40 [ERROR] root: eval: *terraform.EvalOpFilter, err: failed to create limited child token: Post https://Site.com:8200/v1/auth/token/create: Proxy Error
2017/12/29 19:05:40 [ERROR] root: eval: *terraform.EvalSequence, err: failed to create limited child token: Post https://Site.com:8200/v1/auth/token/create: Proxy Error
2017/12/29 19:05:40 [DEBUG] plugin: waiting for all plugin processes to complete...
The Vault is 3 Vault/Consul Clients behind an ELB and 3 Consul Servers at AWS, terraform server is just an AWS linux box. All connected through transit VPCs
Thanks in advance for your help.
Paddy Carver
Jan 8, 2018, 8:59:22 PM1/8/18
to terrafo...@googlegroups.com
When you successfully make requests with the Vault CLI, is VAULT_ADDR set to "https://site.com:8200" exactly? If not, does changing the vault_site_url variable to the value of VAULT_ADDR fix the issue?
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/0ab0f128-ddbe-4b66-bf08-d22bdb1eaa00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Geoff Webster
Mar 9, 2018, 6:49:52 PM3/9/18
to Terraform
Not sure if you figured it out but your Vault Token your using with Terraform needs the ability to create a child token as the Vault provider creates a time limited token based off of yours. Basically I think you need create/update permissions to auth/token/create
Reply all
Reply to author
Forward
0 new messages