appropriate path for setting/getting values from Vault w/ Consul

[Julio Castillo]

I have Vault configured with Consul as my backend.

I have tested Consul separately with no problem in all namespaces.

My problem is that I can't get/set values in Vault. I have tried a couple of different paths to no avail trying to experiment to find out which is the appropriate path for my REST calls. I can set/get using the /secret option, but I want to use consul.

Path 1: curl -X GET -H "x-vault-token: 69a2ba42-2466-8625-6675-2efa091fae0e" 'http://10.128.1.36:28200/v1/content/email'

Returns: "no handler for route 'content/email/'"

Path 2: curl -X GET -H "x-vault-token: 69a2ba42-2466-8625-6675-2efa091fae0e" 'http://10.128.1.36:28200/v1/consul/content/email'

Returns: "unsupported path"

Path 3: curl -X GET -H "x-vault-token: 69a2ba42-2466-8625-6675-2efa091fae0e" 'http://10.128.1.36:28200/v1/consul/mainline/encrypted/content/email'

Returns: "unsupported path"

All the paths attempted were combinations trying to figure out which is the right one based on my configurations.

My Vault configuration is as follows:

Mounts: 

{

  "consul/": {

    "config": {

      "default_lease_ttl": 0,

      "max_lease_ttl": 0

    },

    "description": "",

    "type": "consul"

  },

  "cubbyhole/": {

    "config": {

      "default_lease_ttl": 0,

      "max_lease_ttl": 0

    },

    "description": "per-token private secret storage",

    "type": "cubbyhole"

  },

  "secret/": {

    "config": {

      "default_lease_ttl": 0,

      "max_lease_ttl": 0

    },

    "description": "generic secret storage",

    "type": "generic"

  },

  "sys/": {

    "config": {

      "default_lease_ttl": 0,

      "max_lease_ttl": 0

    },

    "description": "system endpoints used for control, policy and debugging",

    "type": "system"

  }

}

Auth:

{

  "app-id/": {

    "description": "",

    "type": "app-id"

  },

  "token/": {

    "description": "token based credentials",

    "type": "token"

  }

}

Policy:

{

  "policies": [

    "root"

  ]

}

Vault initial configuration (vault.json):

{

  "backend": {

    "consul": {

        "address": "10.128.1.36:28500",

        "path": "mainline/encrypted",

        "scheme": "http",

        "token": "d54f4cbc-a459-3c04-552a-05cf45d2436b"

    }

  },

  "listener": {

    "tcp": {

        "address":"10.128.1.36:28200",

        "tls_disable":1

    }

  }

}

===============

Consul configurations:

ACLs:

[

  {

    "CreateIndex": 7,

    "ModifyIndex": 7,

    "ID": "2b2b052e-a632-bffd-4f14-67de1fcb95cd",

    "Name": "Mainline",

    "Type": "client",

    "Rules": "{\"key\": {\"\": {\"policy\": \"read\"},\"mainline/\": {\"policy\": \"write\"},\"mainline/encrypted/\":{\"policy\":\"deny\"}}}"

  },

  {

    "CreateIndex": 3,

    "ModifyIndex": 3,

    "ID": "anonymous",

    "Name": "Anonymous Token",

    "Type": "client",

    "Rules": ""

  },

  {

    "CreateIndex": 8,

    "ModifyIndex": 8,

    "ID": "d54f4cbc-a459-3c04-552a-05cf45d2436b",

    "Name": "Mainline-Encrypted",

    "Type": "management",

    "Rules": "{\"key\": {\"\": {\"policy\": \"read\"},\"mainline/encrypted\": {\"policy\": \"write\"}}}"

  },

  {

    "CreateIndex": 4,

    "ModifyIndex": 4,

    "ID": "f45cbd0b-5022-47ab-8640-4eaa7c1f40f1",

    "Name": "Master Token",

    "Type": "management",

    "Rules": ""

  }

]

[Julio Castillo]

Could it be because I haven't specified an ACL Policy for Vault?

I guess I was relying strictly on Consul's ACL policies.

** julio

[Jeff Mitchell]

Hi Julio,

There are two Consul backends in Vault. One is a physical backend,
which is the K/V store Vault is using for physical access. The other
is a secrets backend that generates credentials for clients to connect
to Consul to use its services.

It seems like you want a backend that acts like a generic K/V store
but is encrypted -- that's the "generic" backend, which is mounted by
default at secret/. You can mount more copies of it elsewhere, but the
type is always going to be "generic". So you could mount a copy of the
generic backend at "consul/" if you like, but it won't behave any
differently from "secret/".

--Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/bd7ec69c-07b1-4b55-9cf0-ba20abf70eaa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Wesley Staples]

Vault has 2 different consul backends.

• Consul Backend. – This is where vault stores its data. This is also the backend you have listed in the “vault initial configuration (vault.json)” section. Everything in vault will get stored here.
• Consul Secret backend – This is only used for generating consul API tokens. You have this listed as the first “mount”.
  

When you store something in /secret it will be using consul since that is your configured backend. Let’s say you write a secret “/secret/foo” to “vault_server1”. The encrypted values will be stored in Consul under the key mainline/encrypted. (I don’t know if you could actually see that from consul or not). If you took vault_server1 offline you would still be able to get this value from vault_server2 under /secret/foo.