token from token_role requested by approle

526 views

Skip to first unread message

barap...@gmail.com

unread,

Aug 2, 2017, 3:29:08 PM8/2/17

to Vault

Using vault 0.7.0

It seems that now matter what policy permissions I add, I cannot request a token from a token-role when I'm executing it through the approle.

Using root token

curl -X POST -H "X-Vault-Token:roottoken" -d '{"policies":"default"}' http://127.0.0.1:8200/v1/auth/token/roles/myrole
vault auth roottoken
vault policy-write mypol mypol.json

{
"path":{
"sys/policy/*":{
"capabilities":[
"update",
"read",
"create",
"sudo"
]
},
"auth/token/roles/*":{
"capabilities":[
"update",
"read",
"create",
"list",
"sudo"
]
},
"auth/token/create/*":{
"capabilities":[
"update",
"create",
"list",
"sudo",
"read"
]
},
"sys/auth":{
"capabilities":[
"read",
"list",
"update",
"create"
]
},
"auth/token/roles":{
"capabilities":[
"update",
"read",
"create",
"list",
"sudo"
]
}
}
}

vault write auth/approle/role/testapprole token_num_uses=10 token_ttl=10m token_max_ttl=20m bound_cidr_list=10.0.0.0/8 bind_secret_id=false policies=mypol
vault write auth/approle/role/testapprole/role-id role_id=myroleid
curl -X POST -d '{"role_id":"myroleid"}' http://127.0.0.1:8200/v1/auth/approle/login

{"request_id":"10160da9-7f1d-984b-8f31-0e294542908e","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"708b1d2b-8d48-b299-5200-4169920c5272","accessor":"7647319f-85fd-fc63-b5c9-537228abcf7e","policies":["default","mypol"],"metadata":null,"lease_duration":600,"renewable":true}}

Using token from approle

vault auth 708b1d2b-8d48-b299-5200-4169920c5272

token: 708b1d2b-8d48-b299-5200-4169920c5272
token_duration: 569
token_policies: [default mypol]

curl -X POST -H "X-Vault-Token:ff489262-344b-c564-4161-cbc9e0bee1dc" -d '{"ttl":"1m"}' http://127.0.0.1:8200/v1/auth/token/create/myrole

{"errors":["restricted use token cannot generate child tokens"]}

When I look the token created from the approle

accessor 708b1d2b-8d48-b299-5200-4169920c5272
creation_time 1501701576
creation_ttl 600
display_name approle
explicit_max_ttl 0
id 7647319f-85fd-fc63-b5c9-537228abcf7e
meta <nil>
num_uses 9
orphan true
path auth/approle/login
policies [default mypol]
renewable true
ttl 540

Since I am creating the token using a token-role, couldn't I be able to do it just by having permissions to the auth/token/roles path?

Can someone point me to the right direction on how to achieve the above?

Many thanks.

Chris Hoffman

unread,

Aug 2, 2017, 7:33:38 PM8/2/17

to vault...@googlegroups.com

The reason you are not able to create child tokens is because the parent tokens you are creating out of AppRole are limited to a use count. If you omit the use count restriction from your AppRole role, you will be able to issue child tokens.

Chris

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8d521dc1-777a-4f07-869f-eb90839c909b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages