Provisioner can't access secret-id of another role despite policy capabilities.

[Jessica M]

Hello. I am trying to mimic the use of a provisioner to get the secret-id of another role in a local test set up. (Later I will use response wrapping to pass it along to my service nodes).

However, I cannot access anything under auth/* despite the policy I created. Below is my policy file and the steps I performed. I will include the tokens I used as shell variables so you can see exactly which role I'm using to run the commands.

Create myprovisioner.hcl file with the following:

path "auth/*"

{
  capabilities = ["list","update","read","create"]
}
path "auth/data/approle/role/service4/*"
{
  capabilities = ["read","list","create","update","delete"]
}

Update the provisioner policy:

VAULT_TOKEN=$root_token vault policy write provisoner myprovisioner.hcl

Create the ansible role and tie it to the provisioner policy.

VAULT_TOKEN=$root_token vault write auth/approle/role/ansible secret_id_num_uses=2 secret_id_ttl=5m token_num_uses=20  token_ttl=200m  token_max_ttl=300m bind_secret_id=true policies=provisioner

Get the role-id and secret-id for the ansible role to log in with.

VAULT_TOKEN=$root_token vault read auth/approle/role/ansible/role-id
VAULT_TOKEN=$root_token vault write -f auth/approle/role/ansible/secret-id

Login with those credentials.

vault write auth/approle/login role_id="eca1c1ab-bedf-b9b6-c6ef-f7a2db92f81b" secret_id="b4e0abe1-94dd-f698-7d32-85cd8a5e71b2"

Store the resulting ansible token in a shell variable.

ansible_token=s.XUNMc4W3tFU6yRbDTSdlEf9j

Use shell variable in write command to create a new secret-id for a different, but existing role called service4.

VAULT_TOKEN=$ansible_token vault write -f auth/approle/role/service4/secret-id

Error writing data to auth/approle/role/service4/secret-id: Error making API request.

URL: PUT https://vaultserver:8200/v1/auth/approle/role/service4/secret-id
Code: 403. Errors:

* 1 error occurred:
        * permission denied

Similarly, I have permission errors just making a read or list to anything under auth/*. Here is the root_token listing the roles, and then the ansible_token attempting the same.

VAULT_TOKEN=$root_token vault list auth/approle/role

Keys
----
ansible
service4

Above you can see these roles exist and I've used the service4 role just fine.

Here's the ansible token attempting the same:

VAULT_TOKEN=$ansible_token vault list auth/approle/role
Error listing auth/approle/role/: Error making API request.

URL: GET https://vaultserver:8200/v1/auth/approle/role?list=true
Code: 403. Errors:

* 1 error occurred:
        * permission denied

My vault version:

$ vault version
Vault v1.2.0

[Jessica M]

Oh, and here's how the service4 role was created.

    VAULT_TOKEN=$root_token vault write auth/approle/role/service4 \
    secret_id_num_uses=5 secret_id_ttl=10m \
    token_num_uses=10  token_ttl=20m  token_max_ttl=30m \
    bind_secret_id=true policies=service4

As you can see, there is nothing specified that would restrict the ansible role from updating/creating anything at the auth/approle/role/service4/* path.

[Jessica M]

https://groups.google.com/forum/#!searchin/vault-tool/write$20new$20secret-id$20for$20another$20role%7Csort:date/vault-tool/MZ-iQokZQqc/1ip2HQULDgAJ

I did find another forum post with the same issue. I am not failing to update my policy correctly as far as I know. I run through the above steps each time I make changes, thus using a newly generated ansible_token.

He did not otherwise specify what he was doing wrong so I'm stumped.

On Wednesday, August 21, 2019 at 11:06:24 AM UTC-4, Jessica M wrote:

[Jessica M]

Resolved: when I ran the write policy write command, there was a typo in provisioner.

VAULT_TOKEN=$root_token vault policy write provisoner myprovisioner.hcl

On Wednesday, August 21, 2019 at 11:06:24 AM UTC-4, Jessica M wrote:

[Becca Petrin]

Thanks for posting the solution! Glad it worked out. I was going to circle back to this today but you saved me the time.

-Becca