From 93742883a5c096c9bfaef6396b7d19a7cdf54ccd Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 Jul 2026 23:43:16 +1000 Subject: [PATCH] fix: skip_child_token on vault provider The CI VAULT_TOKEN (short-lived k8s-auth role token) can't create child tokens, so the vault provider failed with 'failed to create limited child token: permission denied'. Use the token directly. --- environments/root.hcl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/environments/root.hcl b/environments/root.hcl index 955ce83..8667a77 100644 --- a/environments/root.hcl +++ b/environments/root.hcl @@ -8,8 +8,11 @@ provider "authentik" { } # Reads client secrets seeded in Vault (kv-v2). Auth via VAULT_ADDR + VAULT_TOKEN -# from the environment (set by the Makefile vault_env helper). -provider "vault" {} +# from the environment (set by the Makefile vault_env helper). skip_child_token +# is required because the short-lived CI token cannot create child tokens. +provider "vault" { + skip_child_token = true +} variable "authentik_token" { type = string