Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
LinuxPingu
@Linux-Pingu
thank you
I am still quite new to Vault and was hoping you could assist me please
I have got the bulk of the work done but having problems trying to use powershell to use api commands to retrieve a KV secret using approle
vault cli works fine in powershell which i have tested and was able to retrieve the KV secret I wanted
but there doesnt seem to be much out there with how this can be done using API on powershell
I would like to post my code here but not sure how it will turn out
i posted my questions on discuss.hasicorp but had not got any replies for a while now
jlj_
@jlj:matrix.org
[m]
Ah, sorry to hear that. I've had success with that Discourse site in the past. Have you tried using -output-curl-string on the CLI commands that have worked? That should give you the equivalent API calls.
Oh, AFK for a bit. Back later.
dennis
@dennis:glindhart.dk
[m]
Using vault-agent with auto-auth for approle, there is an option called: remove_secret_id_file_after_reading - So first time vault-agent starts up, it authenticates using the secret_id and gets a token that is written to the disk and deletes the secret_id. But when vault-agent restarts, should it not be able to run/authenticate using the token it generated without using the secret_id ?
nvucinic
@nvucinic
hello there, i just noticed that my DR replica does not have any auth in front, anyone in that network can go around and promote it, generate token or try to update it to primary.
is there any solution for this (or just add additional auth in front of it?)
ljansen97
@ljansen97
Hi, I am trying to reconfigure my vault K8s installation to have its own namespace, however, the injector sidecar keeps saying "missing client token", is there any way to troubleshoot this issue?
प्रशांत सावंत
@Prassawant_twitter
Hi
we have created sts endpoint in region eu-west-2 , also configured sts_region and sts_enpoint and AWS_REGION in systemd but still getting error "error making upstream request: received error code 403 from STS , Credential should be scoped to a valid region not 'us-eat-1' <code>SignatureDoesNotMatch</code>, am i missing anything in setup...Vault version is 1.6.2
Daniel Kimsey
@dekimsey
Does anyone have any examples of an agent's configuration in json format? I feel silly, but I converted my hcl example into json and I'm getting errors like: error parsing 'auto_auth': at most one "auto_auth" block is allowed
Lucas Bracher
@lucasbracher
Hello! I'm trying to setup a jwt authentication but I'm not being able to perform it. Could you give a look on my pastebin and help me? I'm almost there! Thank you so much for your kindness! https://pastebin.com/01BSJJcp
1 reply
Lucas Bracher
@lucasbracher
This role with oidc role_type is not allowed message error doesn't make any sense to me.
Lucas Bracher
@lucasbracher
Hi there! I'm here again! I'm trying to configure 2 policies, one, called admin, to access secrets/ and another, called abc to access secrets/abc/ . I only can read and write secrets for admin, but not for abc. Could you help me on this? Thanks in advance! https://pastebin.com/GfE95us3
jlj_
@jlj:matrix.org
[m]

Heylucasbracher (Lucas Bracher) ! I find working with the k/v secrets engine is not intuitive at all. I think your problem might be that you need more in your abc policy.

This post isn't directly related to your problem, but might get you thinking about avenues to explore: https://discuss.hashicorp.com/t/vault-policy-web-gui/14225/2

mouglou
@mouglou
Hi there! I have a question about the Vault Injector in Kubernetes. Does someone have already try to run a kubectl command in the "agent-inject-command-d" annotation? The idea is to run "kubectl rollout restart deployment application" when 2/3 of the max_ttl reach. https://discuss.hashicorp.com/t/rollout-restart-with-vault-injector-in-kubernetes-at-2-3-of-max-ttl/21913/2
Lucas Bracher
@lucasbracher
jlj, thanks! I just logged in today, I'll get a look! :)
1 reply
Lucas Bracher
@lucasbracher
Oh, found it! It just needed to prefix path with /data. Thanks!
Ilham Sulaksono
@ilham9649-gdplabs
Hi. anyone have tried to use HCP vault ?
David Oceans
@DavidOceans_twitter
Do you know why I can't delete a secret engine?¿?
Error disabling secrets engine at myapp/: context deadline exceeded
I'm using
vault secrets disable myapp/
I see doesn't have any secret but I can't remove it
I don't understand why
David Oceans
@DavidOceans_twitter
if I see the logs of the pod I see
2021-03-18T07:23:07.307Z [ERROR] core: failed to clear view for path being unmounted: error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/bee/": failed to read object: context canceled" path=myapp/
2021-03-18T07:23:07.307Z [ERROR] secrets.system.system_4aa3ed71: unmount failed: path=myapp/ error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/bee/": failed to read object: context canceled"
2021-03-18T07:24:20.494Z [ERROR] core: failed to clear view for path being unmounted: error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/be3/": failed to read object: context canceled" path=myapp/
2021-03-18T07:24:20.494Z [ERROR] secrets.system.system_4aa3ed71: unmount failed: path=myapp/ error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/be3/": failed to read object: context canceled"
any idea or how to delete that secret engine?
David Montoya
@davidmontoyago

hi friends, any maintainers of terraform-provider-vault that can approve this new datasource for vault_gcp_auth_backend_role? hashicorp/terraform-provider-vault#1011

our team is currently unable to manage Vault Identities with GCP auth backends. Any help (even just comments) would be much appreciated!

Giorgos Christos Dimitriou
@giorgosdi

Hello all, Im looking for a sample configuration for telemetry core metrics, like vault.cache.hit.
how do i define it in the config.hcl (if i need to)
I havent done such a thing and im not sure how it should look in the vault UI (again if i can actually see it in the UI).
Right now i dont have the telemetry stanza in my configuration but if i visit
https://vault.us.preprod.babylontech.co.uk/ui/vault/metrics
i can see 3 metrics:

  • http requests
  • entities
  • tokens

Am i supposed to see something more if i add the telemetry stanza ?

Screenshot 2021-03-27 at 18.57.00.png
I added the telemetry stanza in my dev cluster and the only difference i can see in the metrics UI is the above screenshot
Yoan Blanc
@greut
@giorgosdi can you see it in the API endpoint instead? https://www.vaultproject.io/api-docs/system/metrics#read-telemetry-metrics
Yoan Blanc
@greut
also, you'll need 1.6.0+
Giorgos Christos Dimitriou
@giorgosdi

thanks @greut for your reply..im on version 1.7.0, i also enabled the metrics via the CLI
(vault write sys/internal/counters/config enabled=enable) - im running on the OSS version -

the problem is that im getting the message that a month needs to pass in order for metrcis to come in which is fair, but im not really sure that i will be able to see the core metrics there (like the hit or miss requests)

it would really suck that by the end of the month i realize i will not have the metrics i need.

is there a way to go around this or any way to be absolutely sure that i will be able to see core metrics in the metris page ?

P.S i tried the telemetry reading API but didnt get anything back, i guess because there are no data there yet

Giorgos Christos Dimitriou
@giorgosdi
Edit on the above:
the api endpoint works (even on 1.5.4, for json) but am fuzzy of the details on how to find how many of them are hit or miss
Yoan Blanc
@greut
cache.hit.* were added in 1.7 iirc
Lucas Bracher
@lucasbracher
Hello! I know that it's not the best way to deal with the issue, but for a proof of concept I need to init and unseal vault using an script inside a container. When I do that, I get two problems, the first one I can't redirect the vault init output to a file; second one is I receive the message The raw error was: file descriptor 0 is not a terminal when I try to pass the keys to unseal. How can I circumvent these 2 problems? Thanks in advance!
Yoan Blanc
@greut
catastrophicsoftware
@catastrophicsoftware
I don't understand the datakey concept. I have an RSA4096 key. When I generate a datakey from it. I don't get anything that resembles an RSA4096 key from it. What encryption method am I supposed to use with the datakey to encrypt data locally??
Gorian
@Gorian
Is anyone in here using vault ha with consul and also online?
2 replies
jlj_
@jlj:matrix.org
[m]
Huh. (Thought you meant me being online, lol. My certificates expired, so it's offline at the moment. Took notes around the name service stuff, though... I'd guess node, but let me check.)
John Jarvis
@jlj77
H'm. I didn't make as thorough notes as I'd hoped...