Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault agent cache+auto_auth doesn't work with wrapping enabled #6471

Closed
ncabatoff opened this issue Mar 25, 2019 · 1 comment
Closed

Vault agent cache+auto_auth doesn't work with wrapping enabled #6471

ncabatoff opened this issue Mar 25, 2019 · 1 comment
Milestone
1.1.1

Comments

@ncabatoff
Copy link
Collaborator

Describe the bug
Assume the following vault agent config:

pid_file = "./pidfile"
auto_auth {
    method {
        type = "approle"
        config = {
            role_id_file_path = "/tmp/agent/role_id"
            secret_id_file_path = "/tmp/agent/secret_id"
        }
    }
    sink {
        type = "file"
        config = {
            path = "/tmp/agent/file-foo"
        }
    }
}
cache {
    use_auto_auth_token = true
}
listener "tcp" {
    address = "127.0.0.1:8007"
    tls_disable = true
}

With this config, Vault Agent can be used in caching mode without providing a token directly, as seen in https://github.com/ncabatoff/vault-experiments/blob/master/bin/vault-agent-approle.sh. Agent writes a raw token to the sink file /tmp/agent/file-foo.

Now add wrap_ttl to the auto_auth method config, e.g.

auto_auth {
    method {
        type = "approle"
        wrap_ttl = 300
        config = {
            role_id_file_path = "/tmp/agent/role_id"
            secret_id_file_path = "/tmp/agent/secret_id"
        }
    }

The vault-agent-approle.sh script now fails. The sink file /tmp/agent/file-foo now contains a JSON structure instead of a raw token - this is expected behaviour with wrapping enabled, but I mention it because the underlying Agent error is "failed to get the response: configured Vault token contains non-printable characters and cannot be used". Note that the error is not shown to the user, I had to write a patch to expose it. Will file a PR with that patch and link it.

Agent output:

2019-03-25T18:25:58.532Z [INFO]  cache: received request: path=/v1/kv/foo method=GET
2019-03-25T18:25:58.532Z [INFO]  cache.apiproxy: forwarding request: path=/v1/kv/foo method=GET
Error reading kv/foo: Error making API request.

URL: GET http://127.0.0.1:8007/v1/kv/foo
Code: 500. Errors:

* failed to get the response: nil api response provided

To Reproduce
Steps to reproduce the behavior:

Set VAULT_TOKEN to the root token and VAULT_ADDR to your vault, then run:

set -e

mkdir -p /tmp/agent

function setup_approle {
    vault auth enable approle

    cat - > /tmp/agent/policy.hcl <<EOF
path "/kv/*" {
	capabilities = ["sudo", "create", "read", "update", "delete", "list"]
}

path "/auth/token/create" {
	capabilities = ["create", "update"]
}
EOF
    vault policy write autoauth /tmp/agent/policy.hcl

    vault write auth/approle/role/autoauth-role \
      policies=autoauth \
      secret_id_ttl=10m \
      token_ttl=10m \
      token_max_ttl=30m

    vault read -field=role_id -format=yaml auth/approle/role/autoauth-role/role-id > /tmp/agent/role_id
    vault write -f -field=secret_id -format=yaml auth/approle/role/autoauth-role/secret-id > /tmp/agent/secret_id
}

function setup_agent {
    cat - > /tmp/agent/vault-agent.hcl << EOF
    pid_file = "./pidfile"

    auto_auth {
        method {
            type = "approle"
            wrap_ttl = 300
            config = {
                role_id_file_path = "/tmp/agent/role_id"
                secret_id_file_path = "/tmp/agent/secret_id"
            }
        }
        sink {
            type = "file"
            config = {
                path = "/tmp/agent/file-foo"
            }
        }
    }

    cache {
        use_auto_auth_token = true
    }

    listener "tcp" {
        address = "127.0.0.1:8007"
        tls_disable = true
    }
EOF
}

setup_approle
setup_agent

vault secrets enable kv
vault kv put kv/foo val=bar

unset VAULT_TOKEN
vault agent -config /tmp/agent/vault-agent.hcl &

sleep 2
VAULT_ADDR=http://127.0.0.1:8007 vault read -format=json -field=data kv/foo

Expected behavior
When wrapping is enabled, the cache should still work. The above code would yield:

2019-03-25T18:32:45.152Z [INFO]  cache.apiproxy: forwarding request: path=/v1/kv/foo method=GET
{
  "val": "bar"
}

Environment:

  • Vault Server Version (retrieve with vault status): 1.1.0
  • Vault CLI Version (retrieve with vault version): 1.1.0
  • Server Operating System/Architecture: Linux/amd64

Additional context
Add any other context about the problem here.
@ncabatoff ncabatoff mentioned this issue Mar 26, 2019
Merged
@jefferai jefferai added this to the 1.1.1 milestone Apr 5, 2019
@jefferai
Copy link
Member

jefferai commented Apr 5, 2019

Closed by #6479

@jefferai jefferai closed this as completed Apr 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1.1
Development

No branches or pull requests
2 participants
@jefferai @ncabatoff