Vault fails to delete Consul tokens created by a role that has a namespace set

[t-davies]

Describe the bug
Vault fails to delete Consul tokens that are created by a role that has a namespace set. It appears to use the namespace of the secrets engine, rather than the namespace of the token that it is attempting to delete. This will only affect scenarios where the secrets engine token is not created in the same namespace that the tokens it issues are in.

To Reproduce
Steps to reproduce the behavior:

1. Create a Consul secrets engine, ensuring it is configured with the "default" Consul namespace but with an ACL policy that grants acl: write in namespace "B".
2. Create a Consul credentials role, specify a Consul namespace of "B"
3. vault read consul/creds/the-role-created-in-step-2 -- the token is issued correctly
4. Observe that once the TTL is reached, Vault fails to delete the token from Consul.

   Request error: method=DELETE url=/v1/acl/token/xxx-192f5a from=x.x.x.x:61490 error="rpc error making call: Permission denied: token with AccessorID 'xxx502b5' lacks permission 'acl:write'"
   

Expected behavior
Vault should successfully delete the token from Consul. My guess is that it is not specifying the correct Consul namespace when attempting the delete.

Environment:

• Vault Server Version (retrieve with vault status): 1.13.0+ent
• Vault CLI Version (retrieve with vault version): 1.13.0
• Server Operating System/Architecture: RHEL/x86-64

Additional context
Consul version: v1.16.1+ent

The secrets engine and role are provisioned with Terraform, see:

Secrets engine

# Consul / Namespaces #########################################################

resource "consul_namespace" "default" {
  for_each = var.environments
  name     = format(local.namespace_name_format, var.name, each.key)
}

# Consul / Secrets engine #####################################################

resource "consul_acl_policy" "vault_secrets_engine" {
  # brevity: a policy that contains only:
  # namespace_prefix "xyz-" {
  #   acl = "write"
  # }
}

resource "consul_acl_token" "vault_secrets_engine" {
  description = "vault/${var.name} (secrets engine)"
  namespace   = "default"
  local       = false
  policies    = [consul_acl_policy.vault_secrets_engine.name]
}

data "consul_acl_token_secret_id" "vault_secrets_engine" {
  accessor_id = consul_acl_token.vault_secrets_engine.id
}

resource "vault_consul_secret_backend" "default" {
  namespace   = var.name
  path        = "consul"
  description = "platform/consul"
  address     = "https://my.consul.server"
  token       = data.consul_acl_token_secret_id.vault_secrets_engine.secret_id
}

Secret backend role

resource "consul_acl_policy" "app_deploy" {
  # brevity: a policy that allows service write and KV permissions for an app
}

resource "vault_consul_secret_backend_role" "app_deploy" {
  for_each = local.namespace_environments

  consul_namespace = "${var.namespace}-${each.key}"
  
  name     = "app-deploy-${var.namespace}-${each.key}-${local.safe_app_name}"
  backend  = "consul"
  policies = [consul_acl_policy.app_deploy[each.key].name]
  ttl      = 300
  max_ttl  = 300
}