Using Hashicorp Packer with Vault Secret Engine KV2

Question

I'm trying to use packer with vault secret engine kv2, but so far I'm hitting an auth/permission error. I'm trying to read a secret from vault, as shown in the examples. In my test.json file I have a variables object, and inside I have an access_key and a secret_key keys. Each one of those contain {{ vault/secret/data/Foo/testaccess_key}}.

"variables": {
    "access_key": "{{ vault `/secret/data/Foo/test` `access_key`}}",
    "secret_key": "{{ vault `/secret/data/Foo/test` `secret_key`}}"
}

In vault, I created a token (which I use with packer), and the token has a policy such that:

path "secret/*" {
    capabilities = ["list"]
}
path "secret/data/Foo/test" {
    capabilities = ["read"]
}

According to docs, this should be enough for packer to be able to read the secret, but when I run packer I get

Error initializing core: error interpolating default value for 'access_key':
template: root:1:3: executing "root" at <vault `/secret/data/...>:
error calling vault: Error reading vault secret: Error making API request.
Permission denied.

URL: GET
https://vault.*******.com/v1/secret/data/Foo/test
Code: 403. Errors:

* 1 error occurred:
    * permission denied

If I understand correctly, the cause of the problem is the policy not granting enough permissions to packer in order to allow it to read my secret. Am I right? If "yes", how should I modify my policy?

Answer 1

Try something like this for your Packer token policy (don't forget to remake the token with the new policy, you can't update policies on preexisting tokens):

path "secret/*" {
    capabilities = ["list"]
}
path "secret/data/Foo/*" {
    capabilities = ["read"]
}

I've been in the process of learning Vault and have found that whenever I specifically hardcode any path in a policy, to a particular secret, I run into the same error. Hopefully this helps you out. This guide details how to use AppRole authentication with tokens, it may help.