Richard
Reputation: 83
Error writing data to pki/issue/vault-server: common name not allowed by this role
When migrating the vault fqdn from vault.**.**.**.abc.com to vault.**.**.**.def.com. Hit this error. Already created the CNAME in route53 and the domain can be resolved.
URL: PUT https://ap-ops-vault.***.com/v1/pki/issue/vault-server
Code: 400. Errors:
* common name vault.**.**.**.def.com not allowed by this role```
Upvotes: 4
Views: 5518
Answers (1)
lxop
Reputation: 8595
Without seeing your Vault role configuration, I would guess that you have the allowed_domains field set, with abc.com included but not def.com. You will need to update the role to allow names from the new domain.
Probably something like this in Terraform:
resource "vault_pki_secret_backend_role" "role" {
backend = "${vault_pki_secret_backend.pki.path}"
name = "my_role"
...
allowed_domains = ["abc.com", "def.com"]
allow_subdomains = true
...
}
Docs:
- https://www.vaultproject.io/api-docs/secret/pki#allowed_domains
- https://www.terraform.io/docs/providers/vault/r/pki_secret_backend_role.html#allowed_domains
Upvotes: 4
Related Questions
- Permission denied on Vault Terraform provider token creation
- How to create a Hashicorp Vault user using Terraform
- How can I fix provider.vault: no vault token found?
- How can I fix error writing to Vault: Error making API request
- Terraform azurerm_key_vault - Access policy raising errors
- How to use terraform with hashicorp vault for openstack?
- Hashicorp Vault Required Provider Configuration in Terraform
- vault-secrets-provider alias not recognized with terraform-vault template
- Error: Error getting Backup Vault: AccessDeniedException:
- Invalid Index on data lookup on multiple vault auth backend