Issues with auth/token/lookup-accessor
Will Pinney
curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://xxxx:8200/v1/auth/token/accessors
curl -vv -k -X POST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://xxxx:8200/v1/auth/token/lookup-accessor/ROOT_TOKEN_HERE
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"ttl": 0,
"renewable": false,
"policies": [
"root"
],
"path": "auth/token/create",
"orphan": false,
"accessor": "ACCESSOER-TOKEN",
"creation_time": 1487018222,
"creation_ttl": 0,
"display_name": "token-vault-admin-token",
"explicit_max_ttl": 0,
"id": "",
"meta": null,
"num_uses": 0
},
"lease_duration": 0,
"renewable": false,
"lease_id": "",
"request_id": "4160f5d9-0995-8691-0c09-dbbd49bb236b"
}
However, I got “Permission Denied” when I use the same REST API to look up the keys returned from
curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://xxxx:8200/v1/auth/token/accessors
vault@pr-vault02:~/bin$ time curl -vv -k -X POST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://xxxx:8200/v1/auth/token/lookup-accessor/e730e3f8-6b97-465c-96f3-6f048cc9d454
> POST /v1/auth/token/lookup-accessor/e730e3f8-6b97-465c-96f3-6f048cc9d454 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: XXXX:8200
> Accept: */*
> X-Vault-Token: ROOT_TOKEN_HERE
> Content-Type: application/json
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 08 Mar 2017 19:32:01 GMT
< Content-Length: 59
< Content-Type: text/plain; charset=utf-8
<
{"errors":["1 error(s) occurred:\n\n* permission denied"]}
* Connection #0 to host xxxx left intact
Why is that?
Jeff Mitchell
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9815d3de-80a7-473b-bb21-ced8cb8f3306%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Will Pinney
$ cat token.json
{
"accessor": “e27f3a9b-f356-93db-cbd8-4be3f0a07866”
}
$ curl -vv -k -X POST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://xxxx:8200/v1/auth/token/lookup-accessor -d @token.json
> POST /v1/auth/token/lookup-accessor HTTP/1.1
> User-Agent: curl/7.35.0
> Host: xxxx:8200
> Accept: */*
> X-Vault-Token: ROOT_TOKEN
> Content-Type: application/json
> Content-Length: 53
>
* upload completely sent off: 53 out of 53 bytes
< HTTP/1.1 403 Forbidden
< Date: Wed, 08 Mar 2017 20:21:18 GMT
< Content-Length: 59
< Content-Type: text/plain; charset=utf-8
<
{"errors":["1 error(s) occurred:\n\n* permission denied"]}
What did I do wrong?
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7d67c345-3984-4755-be32-cfd79eee5731%40googlegroups.com.
Will Pinney
Jeff, I must have a weird problem.
Now, looking at a accessor token from the log (with no hmac enabled so that accessor token is plain), I got “permission denied”
$ vault token-lookup -accessor 8ceea301-2bb8-5830-7306-ba692b2d87fc
error looking up token: Error making API request.
URL: POST https://127.0.0.1:8200/v1/auth/token/lookup-accessor/8ceea301-2bb8-5830-7306-ba692b2d87fc
Code: 403. Errors:
* 1 error(s) occurred:
* permission denied
Thanks.
Jeff Mitchell
>> Jeff, I must have a weird problem.
>
>
> I am certain that I am using a root token (actually the original one when I
> created the vault). It can look up the accessor of itself. But it can not
> look up the accessor of others.
>
> What I really want to find out is the following:
> - for the accessor token, if the token is created with TTL=300 seconds, and
> num_use=5. Does this mean both accessor token and the token it can accessor
> will both expire after 300 seconds?
> I am seeing 2.5million accessor tokens
> when I do a listing "curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H
> "Content-Type: application/json" $VAULT_ADDR/v1/auth/token/accessors "
>
> This looks abnormal to me. But I can not read the accessor token for some
> reason.
running into a bug that was affecting limited-use tokens prior to
0.6.4. If so, once you're on 0.6.4 or above you need to hit the
auth/token/tidy endpoint to run some cleanup code.
Best,
Jeff
Will Pinney
v1/auth/token/accessors.
For example, the following token (manually created) and accessor are supposed to be expired after 1 time use, it still lingers after 25 minutes and showed up in v1/auth/token/accessors call.
$ vault token-create -policy="service_token_readonly" -ttl="5m" -use-limit=1
Key Value
--- -----
token cfbed861-ec3b-fa78-7438-4bd559d8fde9
token_accessor c5fbb973-06e8-d371-19cb-91a979f35a93
token_duration 5m0s
token_renewable true
token_policies [default service_token_readonly]
$ vault token-lookup -accessor c5fbb973-06e8-d371-19cb-91a979f35a93
Key Value
--- -----
accessor c5fbb973-06e8-d371-19cb-91a979f35a93
creation_time 1489172796
creation_ttl 300
display_name token
explicit_max_ttl 0
id
meta <nil>
num_uses 1
orphan false
path auth/token/create
policies [default service_token_readonly]
renewable true
ttl 285
$ export VAULT_TOKEN=cfbed861-ec3b-fa78-7438-4bd559d8fde9
vault@pr-vault01:~$ vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Version: Vault v0.6.1
Cluster Name: vault-cluster-f6618386
Cluster ID: e8aef188-8724-9176-ecc5-0a0cf662a225
vault@pr-vault01:~$ vault token-lookup
error looking up token: Error making API request.
URL: GET https://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:
* bad token
(one time use is up, token supposedly is revoked)
$ vault token-lookup -accessor c5fbb973-06e8-d371-19cb-91a979f35a93
error looking up token: Error making API request.
Code: 403. Errors:
* 1 error(s) occurred:
* permission denied
$ curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" $VAULT_ADDR/v1/auth/token/accessors > ~/tmp/j.txt (takes 25 minutes to executes)
$ cat j.txt | jq . > j.json
$ grep 'c5fbb973-06e8-d371-19cb-91a979f35a93' j.json
"c5fbb973-06e8-d371-19cb-91a979f35a93", <— I would expect the accessor disappear after 30 minutes given the num_uses is fulfilled and TTL is expired.
However, why is the accessor token still returned by v1/auth/token/accessors REST API call? Is this the bug fixed in the future releases? If so, can you point to me about this bug report? If not, is this a new bug? How to ensure the expired accessor tokens be removed in a timely fashion?
On a side note, if a accessor & token is created with TTL=300seconds, use-limit=1, but is never being used, then this token get removed from the v1/auth/token/accessors call.
Thanks.
Jeff Mitchell
Please see my previous reply. You should really be using 0.6.4 or
above; 0.6.4 was a security fix.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit