vault login fails when ~/.vault-token exists from other vault version

[krysopath]

Describe the bug
When trying to login to vault 1.1.2, while having a token created with an older or newer vault version in ~/.vault-token, login fails with

$ vault login  -method=userpass username=someuser
Password (will be hidden): 
Error authenticating: Error making API request.

URL: PUT https://vault.internal.3yourmind.com:443/v1/auth/userpass/login/someuser
Code: 400. Errors:

* error performing token check: failed to look up namespace from the token: no namespace

same happens the other way around. (trying to log into an older vault while having a valid token for a new one)

To Reproduce
Steps to reproduce the behavior:

1. Run vault login against vault 1.1.2
2. export VAULT_ADDR=https://vault-version-0-11-4.domain.tld
3. Run vault login against vault 0.11.4
4. See error
5. Run rm ~/.vault-token
6. Run vault login and succeed

Expected behavior
I expect a better error message indicating the problem. The message is about an enterprise feature of vault and misleading. Optionally, I would like to have this handled by the vault cli.

I want to make a new login, so the previous login should not play a role.

Environment:

• Vault Server Version (retrieve with vault status): 0.11.4/1.1.2
• Vault CLI Version (retrieve with vault version): 1.0.1
• Server Operating System/Architecture: awslinux2 / dockered

Vault server configuration file(s):

storage "s3" {
  bucket     = "{{ vault.s3_backend }}"
  region = "{{ vault.s3_region }}"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

seal "awskms" {
  region = "******"
  kms_key_id = "alias/*******"
}

api_addr = "http://vault.internal.domain.tld"

default_lease_ttl = "168h"
max_lease_ttl =  "0h"
disable_cache = true
disable_mlock = false
ui = true

Additional context
This happens with any combination of vault server and vault cli I tried.

[gservat]

In our case, we were running a script that would perform a vault login and we didn't want to clobber ~/.vault-token. We ran into this issue you reported, and our workaround is as follows:

VAULT_TOKEN=$(
  curl -s --request POST --data "{\"token\": \"${VAULT_GITHUB_TOKEN}\" }" "${VAULT_ADDR}/v1/auth/github/login" |
  jq -r '.auth.client_token'
)
export VAULT_TOKEN