Vault with consul backend: getting "* Unexpected response code: 401 (ACL support disabled)" errors
1,134 views
Skip to first unread message
Facundo One
Oct 5, 2015, 10:25:47 PM10/5/15
to Vault
Hello,
I need some help with our vault setup.
My confugration, 3 consul servers, 3 vault servers with consul client configured. Vault is connecting to loop back address which we put an alias instead of loop back IP so the certificate won't complain. Config below;
$ cat /opt/vault/etc/vault.hcl
backend "consul" {
address = "client.<dc>.consul:8500"
path = "vault/"
scheme = "https"
datacenter = "ndc_as_a"
token = "vault_token"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/cert/vault.crt"
tls_key_file = "/opt/vault/cert/vault.key"
}
steps i used to test secret backends;
Any help you on how to fix this 401 issue is greatly appreciated.
thanks!
I need some help with our vault setup.
My confugration, 3 consul servers, 3 vault servers with consul client configured. Vault is connecting to loop back address which we put an alias instead of loop back IP so the certificate won't complain. Config below;
$ cat /opt/vault/etc/vault.hcl
backend "consul" {
address = "client.<dc>.consul:8500"
path = "vault/"
scheme = "https"
datacenter = "ndc_as_a"
token = "vault_token"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/cert/vault.crt"
tls_key_file = "/opt/vault/cert/vault.key"
}
steps i used to test secret backends;
$ vault mount consul
$ vault write consul/config/access address=client.<dc>.consul:8500 scheme=https token=vault_management_tokenSuccess! Data written to: consul/config/access
$ POLICY='key "" { policy = "read" }'
$ echo $POLICY | base64 | vault write consul/roles/readonly policy=-
Success! Data written to: consul/roles/readonly
$vault read consul/roles/readonly
Key Value
lease 1h0m0s
policy a2V5ICIiIHsgcG9saWN5ID0gInJlYWQiIH0K
$vault read consul/creds/readonly
Error reading consul/creds/readonly: Error making API request.
URL: GET https://server.<dc>.vault:8200/v1/consul/creds/readonly
Code: 400. Errors:
* Unexpected response code: 401 (ACL support disabled)
Any help you on how to fix this 401 issue is greatly appreciated.
thanks!
Armon Dadgar
Oct 5, 2015, 10:35:43 PM10/5/15
to vault...@googlegroups.com, Facundo One
Hey Facundo,
That error looks like it is coming from Consul itself. Have you configured Consul to enable ACLs?
This requires that at least “acl_datacenter” be set on all the clients and servers.
Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/595fb62b-9490-45ba-a867-d25402cba292%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Facundo One
Oct 6, 2015, 9:16:47 AM10/6/15
to Vault
"acl_datacenter": "<dc>" is set on the server but not on the client. I will add this on the client and test. thank you!
Facundo One
Oct 6, 2015, 10:23:41 AM10/6/15
to Vault
that works! thank you for your help Armon.
Reply all
Reply to author
Forward
0 new messages