Home > database >  Permission denied after successful app role integration between vault agent and vault server
Permission denied after successful app role integration between vault agent and vault server

Time:04-22

I'm using docker-compose to have 2 services: vault-agent and vault server both using hashicorp/vault:latest docker image for development purposes on local machine. I run the vault server in dev mode: vault server -dev. I run the vaul-agent as such vault agent -log-level debug -config=/helpers/vault-agent.hcl whereas vault-agent.hcl is:

pid_file = "./pidfile"

vault {
  address = "https://vault_dev:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path = "/helpers/role_id"
      secret_id_file_path = "/helpers/secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/helpers/sink_file"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}

I'm using approle authentication between vault-agent and vaul server so I ran these commands:

vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"

whereas the admin-policy.hcl is:


# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `kv/` path

# List, create, update, and delete key/value secrets
path "kv/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage Entities and Entity alias
path "identity/entity-alias"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

However, when I run vault kv put secret/hello foo=bar from inside vault-agent container I get this error:

Error making API request.

URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:

* permission denied

If I run export VAULT_TOKEN=root and then vault kv put secret/hello foo=bar it works. So I guess the communication between vault-agent and vault server works, I also don't see any errors logged in vault-agent container (only INFO messages) but I still need a token to perform actions against vault-agent even though the whole point of vault-agent is to delegate authentication to the agent. What am I missing?

CodePudding user response:

At this point you have enabled AppRole authentication, and created an AppRole path for the authentication with a role bound to a policy. You now need to:

vault read auth/approle/role/dev-role/role-id

to retrieve the role_id

vault write -f auth/approle/role/dev-role/secret-id

to retrieve the secret_id in push mode, and then

vault write auth/approle/login role_id=<role id> secret_id=<secret id>

to retrieve a token for authentication. You can then use that token for vault login, or set it to VAULT_TOKEN as an environment variable.

  • Related