permission denied for transit

[Aleksei Vinchakov]

Hi all,

I have vault server with transit backend:

# vault read transit/keys/api

Key                   Value

cipher_mode           aes-gcm

deletion_allowed      false

derived               false

keys                  map[1:1.447098432e+09]

min_decryption_version 0

name                  api

Also Cert Auth:

# vault read auth/cert/certs/web-api

.....

-----BEGIN CERTIFICATE-----

.....

-----END CERTIFICATE-----

display_name web-api

policies     api

ttl         3600

And policy for it:

# vault policies api

path "transit/keys/api" {

  policy = "read"

}

path "transit/encrypt/api" {

  policy = "write"

}

path "transit/decrypt/api" {

  policy = "write"

}

But when I do requests from other server:

# TOKEN=$(curl -s -X PUT --cert "/private/api-vault.pem" --key "private/api-vault.key" https://vault.local:8200/v1/auth/cert/login|awk -F, '{print $6}'|awk -F: '{print $3}'|sed 's/"//g')

# echo $TOKEN

b215b355-4726-a170-39b4-81e1ada65577

# curl -s -H "X-Vault-Token: $TOKEN" "https://vault.local:8200/v1/auth/token/lookup-self"

{"lease_id":"","renewable":false,"lease_duration":0,"data":{"creation_time":1450369653,"display_name":"web-api","id":"b215b355-4726-a170-39b4-81e1ada65577","meta":{"cert_name":"web-api","common_name":"api-vault"},"num_uses":0,"orphan":true,"path":"auth/cert/login","policies":["api","default"],"ttl":3600},"warnings":null,"auth":null}

# curl -s -H "X-Vault-Token: $TOKEN" "https://vault.local:8200/v1/transit/keys/api"

{"errors":["permission denied"]}

Also I can't  to decrypt/encrypt! 

Audit log:

{"time":"2015-12-17T16:29:57Z","type":"response","error":"permission denied","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"read","client_token":"","path":"transit/keys/api","data":null,"remote_address":"10.10.20.10"},"response":{"secret":null,"data":{"error":"hmac-sha256:9e83745982736489576234875628346587834938475"},"redirect":""}}

[Jeff Mitchell]

Hi Aleksei,

At first read through everything seems fine. Can you try two things
out for me -- you said on the vault server it works fine. Can you:

1) Try with your new token on the vault server using the vault CLI?
2) Verify that "vault.local" is pointing to the server you think it's
pointing to?

Thanks,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/1a183490-b592-4616-8424-53f64a7a6ec9%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Aleksei Vinchakov]

Hi,

1) The same.

2) Yes of course, lookup-self works fine.

Vault - 0.4

четверг, 17 декабря 2015 г., 21:43:18 UTC+5 пользователь Jeff Mitchell написал:

[Aleksei Vinchakov]

Also if I delete auth/cert/certs/web-api and add it again but without policies=api:

# TOKEN=$(curl -s -X PUT --cert "/usr/local/private/api-vault.pem" --key "/usr/local/private/api-vault.key" https://vault.local:8200/v1/auth/cert/login|awk -F, '{print $6}'|awk -F: '{print $3}'|sed 's/"//g')

# echo $TOKEN
c15yye45-8e9f-15a0-9e43-429ba9ad2a01

# curl -s -H "X-Vault-Token: $TOKEN" "https://vault.local:8200/v1/auth/token/lookup-self"

{"lease_id":"","renewable":false,"lease_duration":0,"data":{"creation_time":1450412945,"display_name":"cert-cc-web-api","id":"c15yye45-8e9f-15a0-9e43-429ba9ad2a01","meta":{"cert_name":"web-api","common_name":"web-api-vault"},"num_uses":0,"orphan":true,"path":"auth/cert/login","policies":["","default"],"ttl":3600},"warnings":null,"auth":null}

[Aleksei Vinchakov]

I check it again. I can decrypt/encrypt bun can't see keys/api. I think it restriction for none root users.

пятница, 18 декабря 2015 г., 9:33:58 UTC+5 пользователь Aleksei Vinchakov написал:

[Jeff Mitchell]

Hi Aleksei,

You are correct that the keys/ endpoint is restricted to sudo/root
tokens only, but in your OP you indicated that you were unable to
encrypt/decrypt with your token (generally speaking we are removing
these restrictions in favor of using the normal ACL system, which is
already deny-only; I may change this particular one for 0.5). What did
you change to make that work? Removing the 'api' policy shouldn't have
done that...

Thanks,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/4a135acd-611f-46d3-8a79-f0828422e9e4%40googlegroups.com.

[Aleksei Vinchakov]

I think it was mistake in my acl policy syntax. 

P.S. there is no info about root restriction in docs...

пятница, 18 декабря 2015 г., 20:13:10 UTC+5 пользователь Jeff Mitchell написал:

[Jeff Mitchell]

On Sun, Dec 20, 2015 at 11:44 PM, Aleksei Vinchakov
<avinc...@gmail.com> wrote:
> I think it was mistake in my acl policy syntax.
> P.S. there is no info about root restriction in docs...

Hi Aleksei,

In the documentation
(https://vaultproject.io/docs/secrets/transit/index.html) for
'transit/keys' it notes "This is a root protected endpoint." It's easy
to miss, though...

Thanks,
Jeff