Postgresql Secret Backend: Where am I going wrong

[james nuzzo]

Hello

New to VAULT but working through it but I'm stumped when it comes to using the Postgresql Secret backend.

Config.

VM1 with Vault (Puppet installed but don't think that's relevant) Vault v0.6.5.  NO SSL. (Consul backed running on VM3)

VM2 with Docker running:

docker.io/postgres (Postgres 9.2) as latest

docker.io/mysq (latest) More on this later.

So following the documentation: https://www.vaultproject.io/docs/secrets/postgresql/index.html

I can successfully mount the Postgesql back-end

[root@vault ~]# vault mount postgresql

Successfully mounted 'postgresql' at 'postgresql'!

I can successfully establish the connection between the VAULT and Postgres

root@vault ~]# vault write postgresql/config/connection verify_connection=false connection_url="postgresql://postgres:go...@172.16.251.157:5432/postgres"

The following warnings were returned from the Vault server:

* Read access to this endpoint should be controlled via ACLs as it will return the connection string or URL as it is, including passwords, if any.

 

NOTE: the use of "verify_connection=false" else I get a 400 Error indicating:

* Error validating connection info: pq: SSL is not enabled on the server

Also I'm a bit surprise the "verify_connection" comes after the postgresql/config/connection ... I would have thought from previous reading is would come after "write"

I can successfully define a Vault Lease

[root@vault ~]# vault write postgresql/config/lease lease=10h lease_max=24h

Success! Data written to: postgresql/config/lease

When I attempt to configure the role and define the SQL what will be executed on Role creation I get:

root@vault ~]# vault write verify_connection=false postgresql/roles/readonly sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';

    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"

Error loading data: Invalid key/value pair 'postgresql/roles/readonly': format must be key=value

If I attempt it with the "verify_connection: after the path it as if its not seen the the command line

[root@vault ~]# vault write postgresql/roles/readonly  verify_connection=false sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';

    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"

Error writing data to postgresql/roles/readonly: Error making API request.

URL: PUT http://172.16.251.152:8200/v1/postgresql/roles/readonly

Code: 400. Errors:

* Error testing query: pq: SSL is not enabled on the server

 

That is its just as if I did not specify "verify_connection" option.

[root@vault ~]# vault write postgresql/roles/readonly sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';

    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"

Error writing data to postgresql/roles/readonly: Error making API request.

URL: PUT http://172.16.251.152:8200/v1/postgresql/roles/readonly

Code: 400. Errors:

* Error testing query: pq: SSL is not enabled on the server

Now what is really confusing me is that if I follow essentially the same steps with mysql with mysql backend it works as advertised.  I really need to resolve this one and understand it since we are a big Postgres shop and I want to understand

before I move forward and propose using VAULT .

Perhaps just enabling SSL will "resolve" the issue but I don't understand why its not working now.

 

THANKS in advance for any thoughts.

 

 

[Jeff Mitchell]

Hi James,

You need to either disable SSL in your connection string or enable it on the server. See https://github.com/hashicorp/vault/issues/1857#issuecomment-251832717 for an example of using sslmode to turn off SSL in the postgres client. More documentation on available connection options, including sslmode, is at https://www.postgresql.org/docs/9.5/static/libpq-connect.html

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/588df797-d6bb-4d67-9bde-07280811c52f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[james nuzzo]

Jeff

Thanks for the info, and ref's ... It makes sense now and I've got it working as documented.  Much appreciated.!

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.