Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
Slaus Blinnikov
@SlausB
Hello, everyone! Is it possible to sign up new user with username or GitHub method through UI at http://localhost:8200/ ? Or users should only be created with API?
watchdict
@laukaichung
Would anyone please provide a working instructions on how to create a self signed cert for Vault tls communication? I have followed this tutorial but got "Untrust authority" issue. I only have Vault listening to a private network. I'm trying to create a cert with localhost as a subject alternative name .
jlj_
@jlj:matrix.org
[m]
@laukaichung: Yeah, that should work, as a SAN. Search for certificates on learn.hashicorp.com. There's a good tutorial there.
James Warren
@jwarren116
Hey folks, I have a fun issue. I'm temporarily supporting an old Vault 0.7.3 deployment. It's running and unsealed, and I have a valid root token. But, it seems that I don't have the keys to unseal Vault and I need to restart the instance (to update certificates). From what I can tell, there's no way to generate new unseal keys from a root token. I also don't see anything about signals that I can send vault (like HUP) to get it to pick up new certs from the file system. Do I have any options left?
Brian Woodward
@doowb
Hi everyone... Does anyone know what settings I need for the kubernetes vault-agent to update a template file when a secret changes and restart the app container in the pod?
I looked at this learn guide: https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar#apply-a-template-to-the-injected-secrets and used the vault.hashicorp.com/agent-inject-status: "update" label, but I don't see any indication that the file rendered by the the template is updated when I update the secret in vault.
Also, I'm using an external vault cluster, and all of the other configurations/policies/roles seem to be setup correctly since I get the secrets when the pod is started.
hanem100k
@hanem100k
image.png
Hello. I have installed vault-csi-provider and im having a weird not found error. Did you guys have anything like this?
there is a list of kv pairs on that path heimdall-dev/config/env and for some reason the API returns 404. I have a wildcard policy set up on heimdall-dev/* but I think if that would be the problem i'd just get a 403
image.png
ngarafol
@ngarafol
hi guys, I have weird situation with 1 out of 3 vault replicas giving redirect to VAULT_API_ADDR (default one, internal address) and I cant get to the bottom of it. Running in k8s, HA with raft, STS with 3 replicas. All was fine until recently when redirect appeared. Normal requests like /v1/sys work since they obviously get routed to active node, but something like /v1/auth/userpass/login/myuser fails with redirect only on this one single pod...
deepakc5
@deepakc5
Error initializing Dev mode: failed to initialize barrier: failed to persist keyring: mkdir /app/data: permission denied - Issue was fixed after changing permissions on pwd - in this case it was excessive - chmod 777 <dir>
ngarafol
@ngarafol

hi guys, I have weird situation with 1 out of 3 vault replicas giving redirect to VAULT_API_ADDR (default one, internal address) and I cant get to the bottom of it. Running in k8s, HA with raft, STS with 3 replicas. All was fine until recently when redirect appeared. Normal requests like /v1/sys work since they obviously get routed to active node, but something like /v1/auth/userpass/login/myuser fails with redirect only on this one single pod...

in case someone is reading and encountering same issue - seems problematic node "fallen out of HA and raft". Deleting data dir, and recreating pod (+ bootstraping raft) fixed the issue

gc-ss
@gc-ss

Has anyone tried to integrate https://github.com/tarent/loginsrv/ with Vault?

Before I start looking into IDM with Vault (https://learn.hashicorp.com/tutorials/vault/identity?in=vault/operations in my notes), I was hoping there would be some turnkey solution like loginsrv

Michael Aldridge
@the-maldridge
Isn't that more or less unmaintained at this point?
54 replies
also identities are to solve fairly specific problems, perhaps you could share more about your use case @gc-ss
gc-ss
@gc-ss

also identities are to solve fairly specific problems, perhaps you could share more about your use case @gc-ss

Sure - a customer presents certain creds (user+pass, or an approved site like GitHub etc) to the service and gets a JWT (or similar token) in exchange that can be used downstream

jghal
@jghal
Hi all. I'm looking at AppRoles and there's one API call that I don't think I'm understanding or using correctly. https://www.vaultproject.io/api-docs/auth/approle#read-approle-secret-id
Is that to read back the secret with the accessor ID (obtained from the API call to list accessor IDs)? or is this to pass the secret ID itself and get back information on it?
jghal
@jghal
ok nvm, there's a separate API to do the same lookup with the accessor, https://www.vaultproject.io/api-docs/auth/approle#read-approle-secret-id-accessor
and neither returns the secret ID value itself
when I created the approle itself, I configured bound cidrs for both secret_id and tokens, but when I read back the secret id's details I don't see those bound cidrs
gc-ss
@gc-ss
Have you looked into the wrapper tokens? I am interested in learning more about them
jghal
@jghal
you mean this? https://www.vaultproject.io/docs/concepts/response-wrapping/ haven't had a chance to read up on that yet
gc-ss
@gc-ss
That's the one
mntzn
@mntzn
Hi, if agent auto auths via approle and then deletes secret_id, how it will re-auth once the service/instance is restarted?
Lucas Bracher
@lucasbracher
Hello! Which tools would you counsel in order to help automate deploying Vault on production?
thomas
@thomas:mcth.fr
[m]
@lucasbracher:
thomas
@thomas:ggc-project.de
[m]
Hi all! Can anyone tell me if it is somehow possible to create a policy which allows creation of new policies but only for specific paths? For example allow a specific user to create new policies (which should be used for approles) to access secrets stored in "path/to/kv/*" but not "path/to/some/other/kv/*"?
GeorgePals
@GeorgePals

Hello!

Im using the available helm chart to easily start a Vault pod. My issue is that I need to load a custom plugin, but I can't find any way to enable it.
I've set the plugin_directory but when I try to install the plugin:

* fork/exec /vault/plugins/plugin_name: no such file or directory

The plugin is already under /vault/plugins/

Executing ldd /vault/plugins/plugin_name, I get:

Error loading shared library libpbc.so.1: No such file or directory (needed by vault/plugins/plugin_name)
Error loading shared library libgmp.so.10: No such file or directory (needed by vault/plugins/plugin_name)
        libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7eff0c4ba000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7eff0c4ba000)
Error relocating vault/plugins/plugin_name: pbc_param_init_a1_gen: symbol not found
Error relocating vault/plugins/plugin_name: pbc_param_init_e_gen: symbol not found
Error relocating vault/plugins/plugin_name: pbc_cm_search_d: symbol not found
...

So, maybe thats the reason of the error. Any ideas? How can I install the needed libraries inside the pod?

*Edit: If I try to move the libraries inside the pod, I get tar: can't create symlink 'libpbc.so' to 'libpbc.so.1.0.0': Permission denied
Thank you!

Chinmay Pai
@Thunderbottom

Hey all! I set up a vault cluster whose management would mainly be automated through CI by terraform to provision policies and tokens to applications/users. Although I'm really not sure if I understand this or am doing it correctly. So the initial plan was to use the terraform vault provider to set up userpass for vault, but then i realised that would require me to get passwords from the people i am generating access for, and maintaining it for them in the tf and state files somehow. Which I strongly think is a security nightmare and hence was a no-go for me. So the next plan was to generate vault_token on a per-user basis using the provider, without outputting the token values anywhere, which I thought I could do later like I can with nomad tokens that are managed by terraform. Now this works because I could get the initial token value and pass it on to users, and have them renew the token again to invalidate the one i know. But as it seems, there's no real way for me to get the client token using the accessor key? So is there really a way I could get CI to manage token generation, and then distribute tokens to users, of course without using terraform output cause I wouldn't want the tokens in a text file or the CI pipeline.

If any of what I said sounds confusing, please do let me know. I'll be more than happy to elaborate! Thanks in advance :D

TL;DR: basically If I am to use the vault terraform provider's vault_token block without having an output block for the client_token, there seems to be no real way for me getting the client token using the token's accessor ID. Or is there some other way that I could do this, which I might be unaware of?
4 replies
GeorgePals
@GeorgePals
Kevin Wojkovich
@kwojo_twitter

Would anyone know what the path would be for locking down a PKI role to a particular token?

path "pki/roleA" {
  capabilities = ["create"]
}

Should it be pki/issue/roleA?

Lucas Bracher
@lucasbracher
Hello! I'm trying to use username authentication with hvac.Client.auth_userpass(username=, password=), but I'm receiving the message hvac.exceptions.InvalidRequest: missing client token, on post http://10.6.1.136:8200/v1/auth/aaa/login/aaa . It's strange, because I'm able to login using just user and pass on UI.
What am I missing?
Suraj Kumar Thakur
@surajthakur

Hi Community,
I have a query regarding TLS setup in vault cluster. We have decided to use integrated raft storage as backend.
I have a wildcard certificate *.abc.com and I plan to use that for TLS cert in listener section for tls_cert_file. I get my first node up, but when i start the second node up I get TLS errors cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs
which i understand that my wildcard certificate does not identify the IP of the vault nodes.
So I got it working by making my hostnames as below and resolved them internally in /etc/hosts on all three nodes.

192.168.1.20 debian1-vault.abc.com
192.168.1.21 debian2-vault.abc.com
192.168.1.22 debian3-vault.abc.com

We do not have any internal DNS server to resolve locally as we never had requirement.
Is this good approach to do ? What could be right way to get this working.

This is vault.conf

storage "raft" {
  path = "/opt/raft"
  node_id = "raft_node_2"
}
listener "tcp" {
  address     = "0.0.0.0:8200"
  cluster_address  = "192.168.1.21:8201"
  tls_cert_file = "/etc/vault.d/certs/vault_cert.crt"
  tls_key_file = "/etc/vault.d/certs/vault_cert.key"
}

ui=true
disable_mlock = false
api_addr = "https://vault.abc.com:8200"
cluster_addr = "https://192.168.1.21:8201"
Matt Darcy
@ikonia
has anyone got any current docs on vault deployment patterns for DC/static infrastructure
higuita
@higuita:matrix.org
[m]
we have 3 consul with 3 vault on the same hosts, for redundancy
nothing special needed
Matt Darcy
@ikonia
what about if you don’t use consul for the backend ?
I appreciate the standard N node for resillience model
but there must be different patterns for different distribution and different backends
(well, I assume, not there must)
jfcantu
@jfcantu

hey all, does anyone have any experience with configuring Vault as an intermediate CA subordinate to a Windows root CA?

I'm trying to sign the Vault CSR using the "Subordinate Certification Authority" template in Windows AD Cert Services, and it's throwing up some weird Windows error - I suspect I need to be using a different (or custom) template

jfcantu
@jfcantu
scratch that - turned out to be an issue with the AD certificate service itself, nothing to do with Vault
racingferret
@racingferret
Hi everyone, I'm using the Vault-k8s agent for getting secrets into our pods. For the odd secret, the vault.hashicorp.com/agent-inject-secret and vault.hashicorp.com/agent-inject-template syntax works fine. However, I have a more complex case where I'd like to use templating in a configmap. Unfortunately, when it's rendered, it still contains things like {{ .Data.data.username }}. Does anyone know if this is possible or should I be using a different approach?
FYI, the typical template looks like this:
{{- with secret "secrets/test/myapp" -}}
user={{ .Data.data.username }}
pass={{ .Data.data.password }}
{{- end }}
higuita
@higuita:matrix.org
[m]
how are you using as template tool for configmap? if you are just sending the template to configmap, k8s itself will not do anything special with it, you need to either preprocess the template and send the result to k8s configmap or pickup the configmap template and inside the pod run the templating tool to get the secrets
Riain Condon
@Stetchy
Hey - I am using vault via the spring cloud vault plugin with EC2 auth - I'm getting an error "missing client token" - am I missing a step in setting it up? I thought EC2 auth didn't need the secure introduction step