I'm using docker-compose to have 2 services: vault-agent and vault server both using hashicorp/vault:latest docker image for development purposes on local machine. I run the vault server in dev mode: vault server -dev. I run the vaul-agent as such vault agent -log-level debug -config=/helpers/vault-agent.hcl whereas vault-agent.hcl is:
pid_file = "./pidfile"
vault {
address = "https://vault_dev:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/helpers/role_id"
secret_id_file_path = "/helpers/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/helpers/sink_file"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
}
I'm using approle authentication between vault-agent and vaul server so I ran these commands:
vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"
whereas the admin-policy.hcl is:
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `kv/` path
# List, create, update, and delete key/value secrets
path "kv/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage Entities and Entity alias
path "identity/entity-alias"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
However, when I run vault kv put secret/hello foo=bar from inside vault-agent container I get this error:
Error making API request.
URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:
* permission denied
If I run export VAULT_TOKEN=root and then vault kv put secret/hello foo=bar it works. So I guess the communication between vault-agent and vault server works, I also don't see any errors logged in vault-agent container (only INFO messages) but I still need a token to perform actions against vault-agent even though the whole point of vault-agent is to delegate authentication to the agent. What am I missing?
CodePudding user response:
At this point you have enabled AppRole authentication, and created an AppRole path for the authentication with a role bound to a policy. You now need to:
vault read auth/approle/role/dev-role/role-id
to retrieve the role_id
vault write -f auth/approle/role/dev-role/secret-id
to retrieve the secret_id in push mode, and then
vault write auth/approle/login role_id=<role id> secret_id=<secret id>
to retrieve a token for authentication. You can then use that token for vault login, or set it to VAULT_TOKEN as an environment variable.