Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE]: Make sink file optional when using agent caching #6452

Closed
danlsgiga opened this issue Mar 21, 2019 · 7 comments
Closed

[FEATURE]: Make sink file optional when using agent caching #6452

danlsgiga opened this issue Mar 21, 2019 · 7 comments
Assignees
@vishalnayak
Milestone
1.1.1

Comments

@danlsgiga
Copy link
Contributor

Since the Vault Agent Caching is already running as a daemon, it would be great if it also cached the Auth Token in-memory instead of storing it in a file. This way the Auth Token is not exposed anywhere.

I know we have the option to store it in a tmpfs so the sink file never touches the disk, but still it would be a file with the auth token accessible somehow. Having the Vault Agent fully accountable to manage the auth token would be great for our use-case.
@vishalnayak vishalnayak added this to the 1.2 milestone Mar 21, 2019
@vishalnayak vishalnayak self-assigned this Mar 21, 2019
@jefferai
Copy link
Member

You don't need to specify a file sink. Did you set https://www.vaultproject.io/docs/agent/caching/index.html#use_auto_auth_token-bool-false- ?

@jefferai jefferai removed this from the 1.2 milestone Mar 21, 2019
@danlsgiga
Copy link
Contributor Author

I did...

vault[19319]: Error loading configuration from /opt/vault/client/vault.hcl: error parsing 'auto_auth': error parsing 'sink' stanzas: at least one "sink" block is required

@jefferai
Copy link
Member

Looking into this -- this was supposed to be enabled by #6421

@ncabatoff
Copy link
Collaborator

It works for me:

vagrant@jessie:~$ cat cache.hcl 
pid_file = "./pidfile"

cache {
  use_auto_auth_token = false
}

listener "tcp" {
  address = "127.0.0.1:8007"
  tls_disable = true
}

vagrant@jessie:~$ /vagrant/vault/vault agent -config cache.hcl &
[1] 1425
vagrant@jessie:~$ No auto_auth block found in config file, not starting automatic authentication feature
==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

           Api Address 1: http://127.0.0.1:8007
                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.1.0
             Version Sha: 36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900b

Can you post your full config and vault output please?

@jefferai
Copy link
Member

@ncabatoff You don't have an auto-auth block. I think the issue may be that if an auto auth block exists but there are no sinks then it doesn't like it.

@ncabatoff
Copy link
Collaborator

@ncabatoff You don't have an auto-auth block. I think the issue may be that if an auto auth block exists but there are no sinks then it doesn't like it.

Ah, yes, you're right. I didn't consider that use case when I made my changes. Should be easy to fix.

@jefferai jefferai added this to the 1.1.1 milestone Mar 21, 2019
@danlsgiga
Copy link
Contributor Author

@ncabatoff You don't have an auto-auth block. I think the issue may be that if an auto auth block exists but there are no sinks then it doesn't like it.

Thats seems to be it based on the log error error parsing 'auto_auth': error parsing 'sink' stanzas

Tks guys

@ncabatoff ncabatoff mentioned this issue Mar 25, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishalnayak vishalnayak

Labels
None yet
Projects
None yet
Milestone
1.1.1
Development

No branches or pull requests
4 participants
@jefferai @danlsgiga @vishalnayak @ncabatoff