Vault: Error making API request while copy pasting the getting started guide

Run vault auth and enter the root token before running vault write secret/hello value=world solves the problem.

What OS are you on? Running vault server -dev unless recently changed, which I don't think it has, puts the root token in $HOME/.vault-token which the CLI tool looks for automatically. Running vault auth in dev mode shouldn't be necessary.

I guess if for some reason it can't write .vault-token this may be a problem, but as @ekristen said this should happen automatically.

The vagrant OS was Ubuntu 16.04

Accidentally closed

Ubuntu 16.04 is what I develop on and I've never seen this issue. You should take a look at your .vault-token file, start a new dev server, and see if the timestamp on .vault-token was updated. If not, it appears that something is causing Vault to be unable to write to that file.

Hello,
I am working with the vault dev docker container. I am trying to get the token to authenticate. I am getting permission denied when running vault auth.

/ # vault auth
Token (will be hidden):
Error validating token: Error making API request.
URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:

• permission denied
  / # $HOME/.vault-token
  /bin/sh: /root/.vault-token: Permission denied
  / # vault auth
  Token (will be hidden):

I'm not sure why this would happen, but you can work around by just exporting VAULT_TOKEN to the value of your token. (vault auth with just a token value only sets it in the token helper for future commands.)

Am I doing something wrong?

/ # vault token-createError creating token: Post
https://127.0.0.1:8200/v1/auth/token/create: http: server gave HTTP
response to HTTPS client

Michael Withrow | Director of Consulting and Support

[email protected]

202-431-8526

[image: Twistlock_Logo-Lockup_TM_RGB copy.png]

Enterprise security. DevOps agility.

On Wed, Aug 2, 2017 at 6:53 PM, Jeff Mitchell notifications@github.com
wrote:

I'm not sure why this would happen, but you can work around by just
exporting VAULT_TOKEN to the value of your token. (vault auth with just a
token value only sets it in the token helper for future commands.)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/hashicorp/vault/issues/2045#issuecomment-319837848,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AG7aWNzGKKcz1VfZsepM6fcf3Mjvv_Iyks5sURoUgaJpZM4KkEqO
.

@mwithrow Yes, the default address for the client is https://127.0.0.1:8200 but you're not using TLS. Set the -address flag or VAULT_ADDR and you should be good.

Think the issue needs to be reopened.

I had the same issue today, I had to run a vault auth, which led me to vault login.

I am using the docker image, I pulled the latest today:

# from the container
/ # vault version
Vault v0.9.6 ('7e1fbde40afee241f81ef08700e7987d86fc7242')

# from my macbook
$ docker images | grep vault
vault               latest              3d23338f1efc        32 hours ago        90.6MB

I started a container with the following command (note the VAULT_ADDR):

docker run --cap-add=IPC_LOCK -p 8200:8200 -d --name=dev-vault -e VAULT_ADDR='http://0.0.0.0:8200' vault

In the container I tried to follow the tutorial:

/ # vault write secret/hello value=world
Error writing data to secret/hello: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/secret/hello
Code: 400. Errors:

* missing client token

So I did checked the logs:

    -> % docker logs dev-vault
==> Vault server configuration:

                     Cgo: disabled
         Cluster Address: https://0.0.0.0:8201
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
        Redirect Address: http://0.0.0.0:8200
                 Storage: inmem
                 Version: Vault v0.9.6
             Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: +cG+0s+2l1q67ZL0/FvFWU+QIg/it6i2LahYm+viGWo=
Root Token: 7df84f6e-3009-a383-f9c0-0002310e4ee7

Found this Github Issue and did:

/ # find . -name '.vault-token'
./home/vault/.vault-token
/ # cat /home/vault/.vault-token
7df84f6e-3009-a383-f9c0-0002310e4ee7

The vault token is the same as the root token.

But I did a vault auth (then a vault login because the former was said to be deprecated) and added the token all over again and now I can write secrets.

The getting started guide is written for running the Vault binary directly, not via a Docker container.

@jefferai - that is accurate, thank you for commenting.

At the same time, an earlier comment of yours on this Issue mentions:

Running vault auth in dev mode shouldn't be necessary.

And in the logs:

The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

The point of my comment was that I had to run vault login in dev mode. I am unsure if packaging the binary in a container should change the behavior.

It does, because Dev mode will populate the generated token into the token file automatically. If that happens in a Docker container instead it won't work because it's a different home dir. It likely would still work if you then ran all further Vault commands in the guide from within the container, but I'm not sure.

@agamdua thank you for the instructions!

I forget to note the root token. Is there is way to retrive it again.

Yes you can, issue the command, vault init, it will generate the 5 keys which is used to reform the master key along with the root token.

Hi guys, I'm having the same issue when I set export VAULT_ADDR='https://127.0.0.1:8200 to be https whereby with http it works. How can I enable https without client certification verification? I understand that without disabling the TLS element in the config, the vault enables TLS mutual auth, is that correct?

With Docker, I copied /vault to /root/vault followed by vault login and now it works. I am using following Vault version:

Vault v1.0.0 ('c19cef14891751a23eaa9b41fd456d1f99e7e856')

To expand upon @puneetbehl's comment, this command worked for me (using vault:1.3.4 in Docker):
cp /home/vault/.vault-token ~/.vault-token

No vault login was necessary.

Within the context of docker-compose, this works despite inelegance:

version: "3.7"

services:
  vault:
    image: vault:1.3.4
    ports:
      - 8200:8200
    entrypoint: ""
    command: >
      /bin/sh -c -x '(docker-entrypoint.sh server -dev) &
      (export VAULT_ADDR=http://127.0.0.1:8200 &&
      sleep 3s &&
      cp /home/vault/.vault-token ~/.vault-token &&
      vault token create -wrap-ttl=1440m -field=wrapping_token && echo); wait'

Hopefully this will save others who find this some time and effort.