Missing client token on second and third instances #5
Description
The README suggests that it should be possible to use the vault CLI from within the third instance to write a key/value pair:
$ docker exec -it vault_vault_3 vault write secret/hello value=world
Success! Data written to: secret/helloHowever, running that command on the third instance as suggested (or even the second instance) gives this error:
Error writing data to secret/hello: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/secret/hello
Code: 400. Errors:
* missing client tokenHowever, the request does succeed when run on the first instance (ignoring the lack of a handler for this particular path):
Error writing data to secret/hello: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/secret/hello
Code: 404. Errors:
* no handler for route 'secret/hello'This is because the third and second instance do not contain /root/.vault-token, most likely because this line in the setup script only operates on the first instance:
Line 296 in 20765c8
I believe the vault auth command generates that token.
Unlike the HTTP API which I believe forwards requests made to standby nodes to the active primary node, I'm guessing the vault CLI does not do any such forwarding.
Since I don't know much about how vault works in practice, it leaves me wondering if all instances should be authed, or if the first instances token should be deleted after initialization?
I'm not sure if deleting the token from the first instance would break functionality for app code trying to interact with vault via the HTTP API or if not authing the standby instances means vault will cease to work if/when the primary instance goes down.
Any clarification on this would be greatly appreciated, so I can avoid trial by fire.