Approle secret-id accessor is listed, but cannot be looked up

[tallpauley]

Environment:

• Vault Version: Vault v0.9.5 ('36edb4d42380d89a897e7f633046423240b710d9')
• Operating System/Architecture: Local is Mac OSX, Server is official Docker container

Vault Config File:

{
      "backend": {
        "gcs": {}
      },
      "listener": {
        "tcp": {
          "tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA",
          "address": "0.0.0.0:8200",
          "tls_cert_file": "/vault/ssl/tls.cer",
          "tls_key_file": "/vault/ssl/tls.key"
        }
      }

Startup Log Output:

==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: gcs
                 Version: Vault v0.9.5
             Version Sha: 36edb4d42380d89a897e7f633046423240b710d9

==> Vault server started! Log data will stream in below:

2018/04/19 17:34:02.229128 [INFO ] core: vault is unsealed
2018/04/19 17:34:02.546784 [INFO ] core: post-unseal setup starting
2018/04/19 17:34:02.809050 [INFO ] core: loaded wrapping token key
2018/04/19 17:34:02.809098 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018/04/19 17:34:03.468284 [INFO ] core: successfully mounted backend: type=generic path=secret/
2018/04/19 17:34:03.468463 [INFO ] core: successfully mounted backend: type=system path=sys/
2018/04/19 17:34:03.468550 [INFO ] core: successfully mounted backend: type=transit path=transit/
2018/04/19 17:34:03.468841 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018/04/19 17:34:03.468881 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018/04/19 17:34:04.973010 [INFO ] expiration: restoring leases
2018/04/19 17:34:04.973520 [INFO ] rollback: starting rollback manager
2018/04/19 17:34:06.124433 [INFO ] identity: entities restored
2018/04/19 17:34:06.226490 [INFO ] identity: groups restored
2018/04/19 17:34:06.322360 [INFO ] expiration: lease restore complete
2018/04/19 17:34:06.339831 [INFO ] core: post-unseal setup complete

Expected Behavior:
Every secret ID accessor that was listed with LIST /secret-id endpoint should be able to be looked up with the secret-id-accessor/lookup endpoint

Actual Behavior:

$ vault list auth/approle/role/my-app-role/secret-id
secret-id-accessor-1
secret-id-accessor-2
$ vault write auth/approle/role/my-app-role/secret-id-accessor/lookup secret_id_accessor=secret-id-accessor-1
Error writing data to auth/approle/role/my-app-role/secret-id-accessor/lookup: Error making API request.

URL: PUT https://vault.instance/v1/auth/approle/role/my-app-role/secret-id-accessor/lookup
Code: 500. Errors:

* 1 error occurred:

* failed to find accessor entry for secret_id_accessor: "secret-id-accessor-1"

Steps to Reproduce:
It is hard to say exactly what steps led to this bug. This bug happened after I upgraded the server from vault 0.8.2 to 0.9.5.

[tallpauley]

To add to this issue, is there anyway I can safely delete the accessor that is in the list, but cannot be looked up? I tried the destroy/ endpoint, but this has the same exact output as lookup.

[jefferai]

Does a Vault restart help? See #4955 (comment)

[jefferai]

I believe #4981 fixes this.

[jefferai]

Moving to 0.10.5 while we wait for feedback but I think this is now fixed.