Vault approle authentication fails through API

Question

So I am using vault approle with airflow as secret backend and it keeps throwing permission denied error on $Vault_ADDR/v1/auth/approle/login. I tried using approle from CLI like:

vault write auth/approle/login role_id="$role_id" secret_id="$secret_id"

and it works fine. But if I try it using API:

curl --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/login

where payload.json contains secret and role id. It fails with permission denied.

Here is my policy:

vault policy write test-policy -<<EOF

path "kv/data/airflow/*" {
  capabilities = [ "read", "list" ]
}
EOF

It works fine for reading on this path. and role:

vault write auth/approle/role/test-role token_ttl=4h token_max_ttl=5h token_policies="test-policy"

Don't know why it is failing with API. An important thing to mention is that I am using cloud based HCP Vault.

Answer 1

The problem is with your app_role authentication.You need to provide admin namespace in your url. Change this: curl --request POST --data @payload.json $VAULT_ADDR/v1/auth/approle/login To this: curl --request POST --data @payload.json $VAULT_ADDR/v1/admin/auth/approle/login

Furthermore, if you are trying to access from a third party tool like airflow then try adding "namespace=admin" in your config file.

Answer 2

Found the problem. HCP vault uses namespace (default = admin). Namespace was needed in url :

$VAULT_ADDR/v1/admin/auth/approle/login

but the problem still exists in Airflow's Hashicorp provider. Changing the auth_mount_point still concatenates it at the end as :

$VAULT_ADDR/v1/auth/{$auth_mount_point}