permission denied when getting/setting secrets using token generated by app-id

3,064 views
Skip to first unread message

Stephen Cresswell

unread,
Jun 24, 2016, 3:40:38 PM6/24/16
to Vault
Hi,

I'm a vault newbie and having problems getting/setting secrets using a token generated by an app-id login. I originally reported the issue via github (https://github.com/hashicorp/vault/issues/1556), but it was suggest this forum was a more appropriate place. I setup my environment as follows...

# Start a vault server in development mode
docker run -d -p 8200:8200 --hostname vault --name vault sjourdan/vault
docker logs vault

# Make note of the Unseal Key and Root Token, then set env variables
export VAULT_ADDR=http://vault:8200
export VAULT_TOKEN=<INSERT_TOKEN_HERE>

# Create an alias to execute vault commands from a container
alias vaultcmd="docker run --volume $(pwd)/tests/vault:/tmp --link vault --rm -e VAULT_ADDR -e VAULT_TOKEN sjourdan/vault"

# Unseal the vault so you can read / write secrets
vaultcmd unseal <INSERT_UNSEAL_KEY>

# Upload a policy (listed below)
vaultcmd policy-write demo-live /tmp/policies/live/demo.json

# Configure an app-id login, associated with the policy
vaultcmd auth-enable app-id
vaultcmd write auth/app-id/map/app-id/svc-demo-api value=demo-live display_name=svc-demo-api
vaultcmd write auth/app-id/map/user-id/demo-live value=svc-demo-api
vaultcmd policy-write demo-live /tmp/policies/live/demo.json

# The policy details are
{
"path": {
"sys/*": {
"capabilities": ["deny"]
},
"secret/live/demo/*": {
"capabilities": ["create", "update", "list", "read", "delete"]
}
}
}

However when I attempt to read, write or delete "secret/live/demo" I get 403 permission denied.

$ curl -A 'Accept: application/json' -X POST -v http://localhost:8200/v1/auth/app-id/login -d '{"app_id": "svc-demo-api", "user_id": "demo-live" }'
* Trying ::1...
* connect to ::1 port 8200 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8200 (#0)
> POST /v1/auth/app-id/login HTTP/1.1
> Host: localhost:8200
> User-Agent: Accept: application/json
> Accept: */*
> Content-Length: 51
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 51 out of 51 bytes
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Fri, 24 Jun 2016 19:31:15 GMT
< Content-Length: 399
<
{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"warnings":null,"auth":{"client_token":"294875cf-17a6-30e2-f09b-214823c94ed8","accessor":"7fabeff5-784f-aa26-aeb7-7b1825cf9334","policies":["default","demo-live"],"metadata":{"app-id":"sha1:78e836692ee4939b3d5e9d2fd37edb1f13cdd6f1","user-id":"sha1:fb9afb91b25f0780238f3adefafa9291fb799b1d"},"lease_duration":2592000,"renewable":true}}
* Connection #0 to host localhost left intact

$ curl -v -H 'Accept: application/json' -X GET http://localhost:8200/v1/secret/live/jobs -H 'X-Vault-Token: 294875cf-17a6-30e2-f09b-214823c94ed8'
* Trying ::1...
* connect to ::1 port 8200 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8200 (#0)
> GET /v1/secret/live/jobs HTTP/1.1
> Host: localhost:8200
> User-Agent: curl/7.43.0
> Accept: application/json
> X-Vault-Token: 294875cf-17a6-30e2-f09b-214823c94ed8
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< Date: Fri, 24 Jun 2016 19:31:36 GMT
< Content-Length: 33
<
{"errors":["permission denied"]}
* Connection #0 to host localhost left intact


I'd really appreciate any help on this one. Thanks.

Jeff Mitchell

unread,
Jun 24, 2016, 3:43:47 PM6/24/16
to vault...@googlegroups.com
Hi Stephen,

The policy that you are using has no entry for secret/live/jobs, and
Vault is deny by default.

Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/bf6cd3a7-edab-47cd-93c2-eda9f4b2a5bd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Stephen Cresswell

unread,
Jun 24, 2016, 3:51:04 PM6/24/16
to Vault
Thanks. Have changed to

{
"name": "demo-live",


"path": {
"sys/*": {
"capabilities": ["deny"]
},

"secret/live/demo": {


"capabilities": ["create", "update", "list", "read", "delete"]
},
"secret/live/demo/*": {
"capabilities": ["create", "update", "list", "read", "delete"]
}
}
}

Now works fine

Message has been deleted

Govindaraj Venkatesan

unread,
Aug 12, 2016, 2:19:23 PM8/12/16
to Vault
Hi All,

I have the below policy

```
vault]# more vault.elements.policy.hcl
path "secret/elements/*" {
  policy = "write"
}

path "secret/foo" {
  policy = "read"
}

path "auth/token/lookup-self" {
  policy = "read"
}

```

I created the below App ID and user-id

#vault write auth/app-id/map/app-id/elements value=vault.elements.policy.hcl display_name=elements_dev

#vault write auth/app-id/map/user-id/elements_dev value=elements

#curl -X POST -d '{"app_id":"elements", "user_id":"elements_dev"}' "http://xx.xxx.xxx.xxx:8200/v1/auth/app-id/login"
{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"xxxx5","accessor":"fd212baf-6bfe-924b-0c1e-b0484fd4b8a0","policies":["default","vault.elements.policy.hcl"],"metadata":{"app-id":"sha1:6851b3982dec35e29a2f2f6d0b028f8311aa1a47","user-id":"sha1:96c8a5a2b65836889060a192fadf9d80d568898d"},"lease_duration":2592000,"renewable":true}}

When I try to read the value, I am getting the error as below

{"errors":["permission denied"]}

Thoughts?

Thanks,
Govind

govindaraj

unread,
Aug 12, 2016, 4:16:40 PM8/12/16
to vault...@googlegroups.com
++ Here is the audit log

{"time":"2016-08-12T19:48:39Z","type":"response","error":"1 error(s) occurred:\n\n* permission denied","auth":{"display_name":"","policies":null,"metadata":null},"request":{"operation":"read","client_token":"hmac-sha256:2a7b51816b3cb329ba4066c64682647dfc1fde7c6d500db3d6c3ed2840d10746","path":"secret/elements/serviceaccounttest","data":null,"remote_address":"xx.xx.xx.x","wrap_ttl":0},"response":{"secret":null,"data":{"error":"hmac-sha256:e68fd36ea54bb03970a43b72783b33665a2e8f158b0a665bf0ee3ebc560e82a2"},"redirect":""}}

Thanks,
Govind

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/n2a0CZH5H3g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/79215665-e68d-4308-8e66-23d633424174%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Thanks & Regards
Govindaraj Venkatesan

Vishal Nayak

unread,
Aug 13, 2016, 12:33:07 PM8/13/16
to Vault
Hi Govindaraj,

path "secret/elements/*" {
  policy = "write"
}

I'd recommend using `capabilities` which is finer grained than `policy`.
 

#vault write auth/app-id/map/app-id/elements value=vault.elements.policy.hcl display_name=elements_dev

The 'value` field takes, not the policy file name, instead a registered Vault policy name.
Use `policy-write` command to register the above policy rules into a named policy in Vault.
Supplying the policy name to `value` should work!

Also, take a look at AppRole backend, which does everything that App-ID did, and makes certain other workflows easier.

Regards,
Vishal
 

govindaraj

unread,
Aug 15, 2016, 5:53:22 AM8/15/16
to vault...@googlegroups.com
Thanks Vishal. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/n2a0CZH5H3g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7e6e2486-4b25-4f87-88ee-00cb317f9d0b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages