unable to access vault kv path using consul-template

1,336 views
Skip to first unread message

Shashank S

unread,
Apr 18, 2019, 4:03:50 PM4/18/19
to Vault

consul-template    | 

consul-template    | * permission denied (retry attempt 11 after "1m0s")

consul-template    | 2019/04/18 19:55:37.400476 [WARN] (view) vault.read(kv/my-secret): vault.read(kv/my-secret): Error making API request.

consul-template    | 

consul-template    | URL: GET http://vault:8200/v1/sys/internal/ui/mounts/kv/my-secret

consul-template    | Code: 403. Errors:

consul-template    | 

consul-template    | * permission denied (retry attempt 12 after "1m0s"





it was working last week. it's not working now. 

please help 

mic...@hashicorp.com

unread,
Apr 23, 2019, 5:20:55 AM4/23/19
to Vault
Hi there,

it would be helpful to see your consul-template template.
Also, any other related information could be helpful here like used Vault/Consul-Template version and used K/V version.

Cheers,
Michel

Shashank S

unread,
Apr 23, 2019, 5:26:37 AM4/23/19
to Vault
this is my template file - 
{{ with secret "secret/my-secret" }}
 {{ .Data.var }}{{ end }}

Vault version : v1.0.3
Consul-template version : v0.20.0
K/V version : 1.0

Shashank S

unread,
Apr 23, 2019, 5:27:53 AM4/23/19
to Vault


On Tuesday, April 23, 2019 at 2:56:37 PM UTC+5:30, Shashank S wrote:
this is my template file - 
{{ with secret "kv/my-secret" }}

mic...@hashicorp.com

unread,
Apr 23, 2019, 5:57:01 AM4/23/19
to Vault
What permissions has the token you use for consul-template?

Shashank S

unread,
Apr 23, 2019, 5:58:20 AM4/23/19
to Vault
Root - which is by default, I haven't created any policy.

mic...@hashicorp.com

unread,
Apr 23, 2019, 6:07:41 AM4/23/19
to Vault
Sorry, but I have trouble to reproduce your issue.

Could you please validate the script below with your steps you have taken?

docker run --cap-add=IPC_LOCK -d \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=12345' \
    -e 'VAULT_ADDR=http://localhost:8200' \
    -p 8200:8200 --name=vault vault:1.0.3

sleep 5s

export VAULT_ADDR="http://localhost:8200"
export VAULT_TOKEN="12345"

vault secrets enable -path="kv" kv
vault write kv/my-secret var=mypassword

${PWD}/consul-template -config=${PWD}/config.hcl -template "${PWD}/template.test:${PWD}/template.out"

config.hcl
vault {
    address = "http://127.0.0.1:8200"
    token = "12345"
    renew_token = false
}

template.test

Shashank S

unread,
Apr 23, 2019, 6:17:40 AM4/23/19
to Vault
Okay, let me check with your example.

I have another question - 
Suppose if I want to store in secret path
vault kv put secret/my-secret var=mypassword

Do I need to create a policy ? 
If yes, and how to write and store the policy so that it can access the path?

mic...@hashicorp.com

unread,
Apr 23, 2019, 6:41:57 AM4/23/19
to Vault
Policies are required when you want to access a certain path with a token which does not have the root policy.
I recommend to have a look at the policy documentation: https://www.vaultproject.io/docs/concepts/policies.html
It describes really well when you need a policy and how to write one (basically your example from above).

Let me know if you have any further questions. 
Reply all
Reply to author
Forward
0 new messages