Unable to revoke token using root token: Permission denied

[Алексей Максимов]

Hi all!

I have very annoying token in my vault. Not sure how exactly it was created but in fact I am unable to lookup it or remove using my root token.

./vault token-revoke --accessor c1ab6572-7c1f-ba12-0d3b-7ca3c0f5f3c0
Success! Token revoked if it existed.

./vault token-lookup --accessor <accessor>
error looking up token: Error making API request.

URL: POST https://<hostname>:8200/v1/auth/token/lookup-accessor
Code: 403. Errors:

* 1 error(s) occurred:

* permission denied

./vault token-lookup
Key                 Value
---                 -----
accessor            bla-bla
creation_time       bla
creation_ttl        0
display_name        token
explicit_max_ttl    0
id                  
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           false
ttl                 0

./vault --version
Vault v0.7.0 ('614deacfca3f3b7162bbf30a36d6fc7362cd47f0')

Can anyone suggest any debug actions to figure out what is wrong and how to remove this token?

Thanks,
Alexey

[Jeff Mitchell]

Hi there,

What is your Vault server version? (What's the output of "vault status"?)

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/a3840acd-6d5f-455a-af2c-0fbf728aa039%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Алексей Максимов]

Hi Jeff,

Thanks for reply. Vault server version is
Vault v0.6.2

vault status shows me

Sealed: false
Key Shares: 4
Key Threshold: 2
Unseal Progress: 0

High-Availability Enabled: true
    Mode: active
    Leader: https://127.0.0.1:8200

пятница, 28 апреля 2017 г., 18:13:44 UTC+3 пользователь Jeff Mitchell написал:

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Jeff Mitchell]

Hi there,

Are you sure it's the same Vault server? In your first post you obfuscated the host name, but in your other post it shows 127.0.0.1, which I wouldn't think would merit obfuscation.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/54238645-c52b-4ff1-bb68-0f647f528b9d%40googlegroups.com.

[Алексей Максимов]

Yes, we have the only one vault cluster. The difference is that I run the first command from my local machine (I defined VAULT_SERVER and VAULT_TOKEN environment variables). Then I run commands locally from one of the vauls servers.

The thing is that everything else works fine except of this token. Looks like its some kind of glitch that I cannot fix having the root token.

Thanks,
Alexey

пятница, 28 апреля 2017 г., 21:23:47 UTC+3 пользователь Jeff Mitchell написал:

[Jeff Mitchell]

Hi there,

I must admit I don't really follow what the actual problem is. In the first command you are doing a revocation on accessor. In the second command you attempt a lookup on the accessor, which fails. In the third command you show that you are using a root token. Why do you think that the original token (that you are deleting with the accessor) still exists? Are you using it successfully for other calls?

Also, I highly highly recommend upgrading, as there have been fixes, including some security fixes, related to tokens in the releases since.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/da880586-b0f0-4ed0-a4be-5319fafd9719%40googlegroups.com.

[Calvin Leung Huang]

Can you list the mounts that you've enabled? Also, logs would help immensely if it's available.

Regards,

Calvin

[Алексей Максимов]

Hi Calvin! Sure

vault mounts
Path        Type       Default TTL  Max TTL    Description
cubbyhole/  cubbyhole  n/a          n/a        per-token private secret storage
pki/        pki        system       315360000
secret/     generic    system       system     generic secret storage
sys/        system     n/a          n/a        system endpoints used for control, policy and debugging

vault token-lookup --accessor c1ab6572-7c1f-ba12-0d3b-7ca3c0f5f3c0

{"time":"2017-05-04T06:30:32Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"token","policies":["root"],"metadata":null},"request":{"id":"b7eb81e7-d757-60c3-50cb-487ba9411dc7","operation":"update","client_token":"hmac-sha256:3e5d41563c1b99c6bff8a9b14ded8db5f5f49ffb46d03fd971e5ae666623b587","path":"auth/token/lookup-accessor/c1ab6572-7c1f-ba12-0d3b-7ca3c0f5f3c0","data":null,"remote_address":"192.168.51.86","wrap_ttl":0},"error":""}
{"time":"2017-05-04T06:30:32Z","type":"response","error":"1 error(s) occurred:\n\n* permission denied","auth":{"client_token":"","accessor":"","display_name":"token","policies":["root"],"metadata":null},"request":{"id":"b7eb81e7-d757-60c3-50cb-487ba9411dc7","operation":"update","client_token":"hmac-sha256:3e5d41563c1b99c6bff8a9b14ded8db5f5f49ffb46d03fd971e5ae666623b587","path":"auth/token/lookup-accessor/c1ab6572-7c1f-ba12-0d3b-7ca3c0f5f3c0","data":null,"remote_address":"192.168.51.86","wrap_ttl":0},"response":{}}

But I still can see this accessor in the list of all accessors using API v1/auth/token/accessors?list=true


вторник, 2 мая 2017 г., 18:10:57 UTC+3 пользователь Calvin Leung Huang написал:

[Алексей Максимов]

Jeff, I will try to explain..

We have token ttl monitoring script that gets all accessors using the API v1/auth/token/accessors?list=true. There is one accessor in this list that I mentioned above. I was trying to remove this token but got permission denied. Do you think it possible that token was revoked but the accessor still exists? I am wondering if I could just remove this accessor, probably that would resolve my issue.

суббота, 29 апреля 2017 г., 0:30:44 UTC+3 пользователь Jeff Mitchell написал:

[Jeff Mitchell]

Hi,

Not only do I think it possible, it's my running theory on the problem :-) We've been making changes to /auth/token/tidy that I think will fix this for you in 0.7.1 but you can simply remove that accessor entry if you like, or wait until 0.7.1 comes out (very very soon) and try tidying.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1be32eff-fdae-417a-ab3b-5747d1f03ae0%40googlegroups.com.

[Алексей Максимов]

Thanks, Jeff!

Yep, I see /auth/token/tidy in docs, but it is not supported in our current vault version yet. Can you recommend any way how to remove accessor entry manually?
I am not sure when we will be ready to upgrade vault.

Thanks,
Alexey

четверг, 4 мая 2017 г., 13:44:57 UTC+3 пользователь Jeff Mitchell написал:

[Jeff Mitchell]

Hi Алексей,

It's not very straightforward because the values are salted/hashed in storage. If you can deal with having an annoying entry around until you upgrade (I recommend to 0.7.1 when it's out soon as we've enhanced the tidy logic) that's probably your best bet.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b37de334-5ace-4bab-98b8-2f051f96f5f9%40googlegroups.com.

[Алексей Максимов]

Jeff, thanks a bunch for your help. Yes, we are ok with it.

Thanks,
Alexey

четверг, 4 мая 2017 г., 18:51:40 UTC+3 пользователь Jeff Mitchell написал: