vault auth/approle/login issue when bind_secret_id=false
1,819 views
Skip to first unread message
Ken McVicker
Jun 22, 2018, 1:21:52 PM6/22/18
to Vault
I'm using vault 0.10.2.
If I create an approle and set bind_secret_id=false I then get an error when trying to login.
vault write auth/approle/role/ken1 bind_secret_id=false
vault write auth/approle/login role_id=aeeeeee7-5555-dddd-aaaa-cbbbbbbbbbb6
Error writing data to auth/approle/login: Put https://vault:8200/v1/auth/approle/login: stream error: stream ID 5; INTERNAL_ERROR
If I connect with curl I get
curl --data '{ "role_id": "aeeeeee7-5555-dddd-aaaa-cbbbbbbbbbb6" }' https://vault:8200/v1/auth/approle/login
curl: (52) Empty reply from server
curl: (52) Empty reply from server
If I set bind_secret_id=true then it works
vault write auth/approle/role/ken1 bind_secret_id=true
vault write auth/approle/login role_id=aeeeeee7-5555-dddd-aaaa-cbbbbbbbbbb6 secret_id=dddddddd-4444-dddd-eeee-6666666ccccc
Key Value
--- -----
token 12341234-e11e-22ee-4444-29bedf5f2ac3
token_accessor 66665555-f916-43fc-a92a-11112222dddd
token_duration 768h
token_renewable true
token_policies [default]
token_meta_role_name ken1
Key Value
--- -----
token 12341234-e11e-22ee-4444-29bedf5f2ac3
token_accessor 66665555-f916-43fc-a92a-11112222dddd
token_duration 768h
token_renewable true
token_policies [default]
token_meta_role_name ken1
curl --data '{ "role_id": "aeeeeee7-5555-dddd-aaaa-cbbbbbbbbbb6", "secret_id":"dddddddd-4444-dddd-eeee-6666666ccccc" }' https://vault:8200/v1/auth/approle/login
{"request_id":"1f64f65a-afaf-7f37-a340-119f9828cd60","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"99998888-bde3-941e-360e-ddddeeeeaaaa","accessor":"33334444-9452-5555-86fb-999988887777","policies":["default"],"metadata":{"role_name":"ken1"},"lease_duration":2764800,"renewable":true,"entity_id":"12341234-d0ed-e681-1234-345634563456"}}
Looks like a bug. I tried it a few times. Have not dug into the code yet.
Tomato_
Jun 25, 2018, 1:14:23 AM6/25/18
to Vault
"vault write auth/approle/role/ken1 bind_secret_id=false" cannot be executed successfully, you are supposed to see the error info "at least one constraint should be enabled on the role", which means role need to be set bind_secret_id true or be set bound_cidr_list not null or both.
在 2018年6月23日星期六 UTC+8上午1:21:52,Ken McVicker写道:
在 2018年6月23日星期六 UTC+8上午1:21:52,Ken McVicker写道:
Jeff Mitchell
Jun 25, 2018, 7:37:49 AM6/25/18
to Vault
Hi Ken,
This is already fixed in 0.10.3.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c182e1ca-f43a-4265-9606-4976bfba831d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mark Greene
Apr 25, 2019, 10:28:53 AM4/25/19
to Vault
Hi Jeff,
We're using Vault v0.11.5 and are experiencing this same issue. Was it regressed by chance?
Mark
On Monday, June 25, 2018 at 7:37:49 AM UTC-4, Jeff Mitchell wrote:
Hi Ken,This is already fixed in 0.10.3.Best,Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Nick Cabatoff
Apr 25, 2019, 11:07:08 AM4/25/19
to vault...@googlegroups.com
Hi Mark,
We're not aware of any such regression. On a fresh Vault instance:
$ vault auth enable approle
Success! Enabled approle auth method at: approle/
$ vault write auth/approle/role/ken1 bind_secret_id=false secret_id_bound_cidrs=127.0.0.1/24
Success! Data written to: auth/approle/role/ken1
$ vault write auth/approle/login role_id=$(vault read -field=role_id auth/approle/role/ken1/role-id)
Key Value
--- -----
token s.UAUfdYIFf9M9kY9A7Sd1OLWR
token_accessor Fjf4rH8uUXN9KgcqysTob8Om
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_role_name ken1
Note that since 0.6.2 you can't specify bind_secret_id=false without also providing some other constraint like secret_id_bound_cidrs. But that would not have given you the INTERNAL ERROR from the message you're replying to, you'd get something like
Error writing data to auth/approle/role/ken1: Error making API request.
Code: 500. Errors:
* 1 error occurred:
* at least one constraint should be enabled on the role
Why don't you share your steps and the output you're getting and we'll see if we can figure out what's going on?
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/adcbe819-7238-4fcb-90bd-7638a70b263f%40googlegroups.com.
Mark Greene
May 7, 2019, 10:32:40 AM5/7/19
to Vault
Hi Nick,
Thank you for your reply. The Vault instance I was using was an old image and apparently something was wrong at the OS level. We're now running Vault 1.0.2 on RHEL 7.6 hosts and everything is working great.
Mark
Reply all
Reply to author
Forward
0 new messages