Here's what I want to do. I use credentials that I've stored in AAP to access HashiVault, I want to create a playbook that uses those credentials to get what I want from HashiVault.

But everything I try doesn't work. There is a credential type called HashiCorp Vault Secret Lookup that we tried and doesn't quite work how we want. It only allows us to pull one secret and the way we have it set up we can't use more than one of those type of credentials in our template. The way I have it set up now is I went to credential types and created my own credential that looks like this.

 fields:
 – id: vault_server
   type: string
   label: URL for Vault Server
 – id: vault_role_id
   type: string
   label: Vault AppRole ID
 – id: vault_secret_id
   type: string
   label: Vault Secret ID
   secret: true
  required:
    – vault_server
    – vault_role_id
    – vault_secret_id

I then went into credentials and created a new credential based on this credential type. It asked me for a role_id and secret_id which I got from my vault server by using

vault read auth/approle/role/my-role/role-id

and

vault write auth/approle/role/my-role/secret-id

I entered both of those into my credentials and entered in the vault url.

I then wrote a playbook like this.

- name: Authenticate with Vault using AppRole
  community.hashi_vault.vault_read:
    url: "{{ vault_url }}"
    auth_method: approle
    role_id: "{{ role_id }}"
    secret_id: "{{ secret_id }}"
    path: "{{ secret_path }}"
    ca_cert: "{{ path_to_cert }}"
  register: secret_data
  delegate_to: localhost

- name: Debug secret response
  debug:
    var: secret_data

I launch my template and I get Forbidden Permission Denied to Path my/path/in/vault. I do have the right policy which is assigned to my app role which has the correct path.

path "my/path/in/vault"
{
  capabilities = ["read", "list"]
}

I'm not sure where else to go from here. If someone can provide any insight I would greatly appreciate it. Or even a different way forward. I have read all the documentation from here

.4/html/userguide/credential_plugins.html#id7

Amongst some other posts on Reddit and other forums.