Help needed with ACL change from consul 0.7.5 to 0.8.1
2,116 views
Skip to first unread message
Martin Waite
May 1, 2017, 7:37:10 AM5/1/17
to Vault
Hi,
Defining an ACL for consul 0.7.5. backend took some research. A working configuration was:
{
"key": {
"vault/": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
}
}
with the backend defined in vault (0.7.0) as:
"backend": {
"consul": {
"token": "88937d44-244c-11e7-aae4-005056ae16c6",
"path": "vault",
"address": "127.0.0.1:8500"
}
}
I now want to upgrade consul to 0.8.1, but there are some permission problems.
In the vault.log:
Error detecting redirect address: Unexpected response code: 403 (Permission denied)
Error initializing core: missing redirect address
In the consul log:
2017/05/01 11:50:37 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:56004
My initial thought was to that for consul 0.8.1, I need a node stanza in the ACL to allow vault to register as a consul service.
{
"key": {
"vault/": {
"policy": "write"
}
},
"node": {
"vault01": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
}
}I tried this with both the empty node name "" (which I think should work) and with the node name as listed in "consul members" - but I get the same error as before.
So far, the only way I can get vault to work with the consul 0.8.1 acls is to use a "management" acl for vault.
Can anyone help me with this please ?
It would be really great if the vault user guide for the consul storage backend gave some clues about setting up the ACLs.
regards,
Martin
Brian Lalor
May 1, 2017, 8:58:03 AM5/1/17
to vault...@googlegroups.com
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/49671065-37b2-4222-8d10-b980689c4e72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Martin Waite
May 1, 2017, 9:06:00 AM5/1/17
to Vault
Hi Brian,
Thanks - you are correct. I now have a working ACL:
{
"key": {
"vault/": {
"policy": "write"
}
},
"node": {
"": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
},
"agent": {
"": {
"policy": "write"
}
}
}
However, I don't know how to narrow down the agent name in the ACL. I tried "vault" - but no good.
Still, I have a working system again - yay!
regards,
Martin
Martin Waite
May 1, 2017, 9:34:51 AM5/1/17
to Vault
Spoke too soon - I later started to get session errors:
2017/05/01 14:31:59.640156 [ERROR] core: failed to acquire lock: error=failed to create session: Unexpected response code: 403 (rpc error: Permission denied)
So I added a session stanza to the ACL and things work again:
{
"key": {
"vault/": {
"policy": "write"
}
},
"node": {
"": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
},
"agent": {
"": {
"policy": "write"
}
},
"session": {
"": {
"policy": "write"
}
}
}
regards,
Martin
Reply all
Reply to author
Forward
0 new messages