skip to Main Content

I’m using docker-compose to have 2 services: vault-agent and vault server both using hashicorp/vault:latest docker image for development purposes on local machine. I run the vault server in dev mode: vault server -dev. I run the vaul-agent as such vault agent -log-level debug -config=/helpers/vault-agent.hcl whereas vault-agent.hcl is:

pid_file = "./pidfile"

vault {
  address = "https://vault_dev:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path = "/helpers/role_id"
      secret_id_file_path = "/helpers/secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/helpers/sink_file"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}

I’m using approle authentication between vault-agent and vaul server so I ran these commands:

vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"

whereas the admin-policy.hcl is:


# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `kv/` path

# List, create, update, and delete key/value secrets
path "kv/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage Entities and Entity alias
path "identity/entity-alias"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

However, when I run vault kv put secret/hello foo=bar from inside vault-agent container I get this error:

Error making API request.

URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:

* permission denied

If I run export VAULT_TOKEN=root and then vault kv put secret/hello foo=bar it works. So I guess the communication between vault-agent and vault server works, I also don’t see any errors logged in vault-agent container (only INFO messages) but I still need a token to perform actions against vault-agent even though the whole point of vault-agent is to delegate authentication to the agent. What am I missing?

2

Answers


  1. At this point you have enabled AppRole authentication, and created an AppRole path for the authentication with a role bound to a policy. You now need to:

    vault read auth/approle/role/dev-role/role-id
    

    to retrieve the role_id

    vault write -f auth/approle/role/dev-role/secret-id
    

    to retrieve the secret_id in push mode, and then

    vault write auth/approle/login role_id=<role id> secret_id=<secret id>
    

    to retrieve a token for authentication. You can then use that token for vault login, or set it to VAULT_TOKEN as an environment variable.

    Login or Signup to reply.
  2. How’re you running commands like vault secrets enable -version=2 kv? When I try running that in the Web UI, it tells me the only valid commands are read, write, delete, and list

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search