Using Vault with Kubernetes Auth Backend

[Mic-Le]

Greetings!

I am trying to use Vault with a Kubernetes auth backend as described here .

I got to the point where Vault is configured to use Kubernetes backend and role for default service account is created.

The confusion part is coming on the client side (inside the kubernetes pod) - while client interacts with Vault, which client token should it use in HTTP request header?

I tried to use a token from Kubernetes default account secret, but got "permission denied" error:

$ curl -XPOST -H "X-Vault-Token: xxxxx...." --data '{"pw": "demo"}' http://vault:8200/v1/secret

please advise.

Thank you!

[Brian Kassouf]

Hi!

You'll need to use the login
(https://www.vaultproject.io/docs/auth/kubernetes.html#via-the-api)
endpoint to trade the kuberentes service account token for a vault
token. The Vault token is what you pass into the header for future
requests.

Best,
Brian

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/058bc5ee-72b6-492f-bb51-306b90d878de%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Mic-Le]

Thank you, Brian!

Following your advise, I am trying to authenticate by running the following commands from inside the POD:

$ KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)

$ curl -XPOST --data '{"role": "demo", "jwt": "'$KUBE_TOKEN'"}' http://vault:8200/v1/auth/kubernetes/login

{"errors":["Post kubernetes:8443/apis/authentication.k8s.io/v1/tokenreviews: unsupported protocol scheme \"kubernetes\""]}

Can you please point out what did I miss?

Thanks again!

[Brian Kassouf]

I believe you're not correctly concatenating the data string. try something like

curl -sb \
--request POST \
--data "{\"role\": \"demo\", \"jwt\": \"${KUBE_TOKEN}\"}" \
"http://vault:8200/v1/auth/kubernetes/login"

> https://groups.google.com/d/msgid/vault-tool/a945764c-20e3-4131-a290-04c54001ffe7%40googlegroups.com.

[Mic-Le]

Brian, 

I got the same error using your proposed command..

What else can I check?

[Brian Kassouf]

Can you show how you configured your kubernetes backend in Vault? And
verify the "kubernets_host" has http:// or https:// before the
hostname?

> https://groups.google.com/d/msgid/vault-tool/fbb5448a-2ae3-4803-bb07-0be7e962e4b9%40googlegroups.com.

[Mic-Le]

Brian,

I have installed Vault in Kubernetes (minikube) using the Helm chart .

Since I am new to Vault, I am not sure how to pull out the backend configuration.

Here are the commands I used to get the info about auth backends:

$ vault read sys/auth

Key            Value

---            -----

kubernetes/    map[local:false seal_wrap:false type:kubernetes accessor:auth_kubernetes_124131ec config:map[default_lease_ttl:0 max_lease_ttl:0] description:]

token/         map[local:false seal_wrap:false type:token accessor:auth_token_7d996f06 config:map[default_lease_ttl:0 max_lease_ttl:0] description:token based credentials]

$ vault auth list

Path           Type          Description

----           ----          -----------

kubernetes/    kubernetes    n/a

token/         token         token based credentials

I did not specifically configure kubernetes auth backend.

[Brian Kassouf]

Please try step 2 here to make sure the kubernetes auth backend is
configured correctly:
https://www.vaultproject.io/docs/auth/kubernetes.html#configuration

> https://groups.google.com/d/msgid/vault-tool/6936ad1f-e3c5-46ce-ab8e-2fdd369de13e%40googlegroups.com.

[Mic-Le]

Thank you, Brian.

Seems like this one was miss-configured. 

Appreciate your help!

[Pal D]

Hi Mic-Le,Brian,

I am also trying to setup kubernetes auth backend with vault.

I am following https://www.vaultproject.io/docs/auth/kubernetes.html#configuration and https://github.com/aws-samples/aws-workshop-for-kubernetes/tree/master/04-path-security-and-networking/401-configmaps-and-secrets to fetch tocker and api server address.

when I am trying to authenticate using API from curl or from my application I am getting "invalid header error.  key Authorization"

a complete snippet from that is as below:

{"errors":["Post https://testaks-testgroup-123d48-v6923444.hcp.westeurope.azmk8s.io:443/apis/authentication.k8s.io/v1/tokenreviews: net/http: invalid header field value \"Bearer eyJhbG.........qm515tt8\\n\" for key Authorization"]}

can you please help me in resolving this.

Your help will be appriciated here.!

Thanks,

[Vasilev Vjacheslav]

Hi Pal D,

Were you able to solve this issue or at least find some clues to root cause?

среда, 20 июня 2018 г., 14:01:17 UTC+3 пользователь Pal D написал:

[Vasilev Vjacheslav]

I see that the problem not related to Vault, but how K8s side processes Bearer token