Search code examples
terraformhashicorp-vault

How can I fix error writing to Vault: Error making API request

When I run + terraform apply --auto-approve I can see the following error:

Error: error writing to Vault: Error making API request.

URL: POST http://host.docker.internal:8200/v1/sys/auth/approle
Code: 400. Errors:

* path is already in use at approle/

  on main.tf line 3, in resource "vault_auth_backend" "approle":
   3: resource "vault_auth_backend" "approle" {

Here's the snippet from main.tf:

provider "vault" {}

resource "vault_auth_backend" "approle" {
  type = "approle"
}

How can I fix it? Locally I could see the same problem when running vault server in dev mode and I've just restarted the dev server that fixed the problem but now I can see the issue when running docker run instead.

Solution

  • The path is already in use at approle/ is the key here

    With POST http://host.docker.internal:8200/v1/sys/auth/approle, we can infer that your Terraform state doesn't know yet an auth method has already been mounted on the approle path, so it tries to create it, and Vault rejects the request because this path is already used.

    Context: In Vault, you mount an authentication method, e.g. approle, to a path, e.g. approle/ (which lets you mount the same authentication method multiple times, e.g. Kubernetes or JWT or OIDC method mounted multiple times on different paths, so that each new mount has settings specific to a given identity provider. That’s how you could have OIDC for both AzureAD and Google, or different kubernetes clusters)

    Back to your issue, there are a few ways to solve this:

    Solution 1. Sync Terraform state with the current state of the world to catch up

    The error comes because Terraform isn’t (yet!) aware that approle is already mounted on approle/. A terraform refresh might fix that, but it’s more likely that you have to manually "link" the existing resource with the Terraform state, terraform import vault_auth_backend.approle approle (see the Vault provider documentation)

    Solution 2. Start from a clean state

    If your approle/ path is already used because of previous tests, you can simply unmount it from Vault so that Terraform correctly catches up. vault auth disable approle/ will remove existing approle authentication. WARNING, if approle was already used for real authentication, then existing roles, role-id, and secret-id will be revoked immediately. Only do this if the existing approle auth method isn’t relied on by any service.