Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
mohsinaijaz
@mohsinaijaz
@sanminaben auth.handler: error authenticating: error="Put "https://vault-tools.com/v1/auth/kubernetes-cluster1/login": x509: certificate signed by unknown authority" backoff=3m43.26s
Yoan Blanc
@greut
Is it possible to /sys/seal a Vault cluster using the Auto-Unseal? https://www.vaultproject.io/api-docs/system/seal
mohsinaijaz
@mohsinaijaz
@greut yes its using aws kms for auto unseal.
Sylvain Desbureaux
@sylvainOL_gitlab

Hello here,
I've got a weird thing here...
we're using vault for our project (deployment is on kubernetes) and default is to have a (super) simple start for testing
we're using consul for auto unseal.
here's consul configuration:
{"data_dir":"/consul/data","log_level":"INFO","ports":{"http":8500,"https":-1},"server":true}}
here's vault configuration:
{"log_level": "trace", "disable_mlock":true,"listener":{"tcp":{"address":"[::]:8200","tls_disable":true}},"storage":{"consul":{"address":"localhost:8500","path":"smsvault"}}}

On most deployments, everything is going fine and vault is auto unsealing
But on one deployment (on kubernetes on baremetal, seems to be the only difference), unsealing process doesn't work:

Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK



==> Vault server configuration:

             Api Address: http://10.42.2.47:8200
                     Cgo: disabled
         Cluster Address: https://10.42.2.47:8201
              Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: trace
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: consul (HA available)
                 Version: Vault v1.3.3

==> Vault server started! Log data will stream in below:

2021-07-06T15:33:42.428+0200 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2021-07-06T15:33:42.428+0200 [DEBUG] storage.consul: config path set: path=smsvault
2021-07-06T15:33:42.428+0200 [WARN]  storage.consul: appending trailing forward slash to path
2021-07-06T15:33:42.428+0200 [DEBUG] storage.consul: config disable_registration set: disable_registration=false
2021-07-06T15:33:42.428+0200 [DEBUG] storage.consul: config service set: service=vault
2021-07-06T15:33:42.428+0200 [DEBUG] storage.consul: config service_tags set: service_tags=
2021-07-06T15:33:42.428+0200 [DEBUG] storage.consul: config service_address set: service_address=<nil>
2021-07-06T15:33:42.432+0200 [DEBUG] storage.consul: config address set: address=localhost:8500
2021-07-06T15:33:50.676+0200 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2021-07-06T15:33:50.685+0200 [DEBUG] storage.cache: creating LRU cache: size=0
2021-07-06T15:33:50.687+0200 [DEBUG] cluster listener addresses synthesized: cluster_addresses=[[::]:8201]
2021-07-06T15:34:17.643+0200 [INFO]  core: security barrier not initialized
2021-07-06T15:34:36.828+0200 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2021-07-06T15:34:36.834+0200 [INFO]  core: security barrier not initialized
2021-07-06T15:34:36.856+0200 [INFO]  core: security barrier initialized: stored=1 shares=3 threshold=3
2021-07-06T15:34:36.883+0200 [DEBUG] core: cluster name not found/set, generating new
2021-07-06T15:34:36.883+0200 [DEBUG] core: cluster name set: name=vault-cluster-6a997d74
2021-07-06T15:34:36.883+0200 [DEBUG] core: cluster ID not found, generating new
2021-07-06T15:34:36.883+0200 [DEBUG] core: cluster ID set: id=e129bd35-133f-423f-d1b2-7aacc1f71a91
2021-07-06T15:34:36.883+0200 [DEBUG] core: generating cluster private key
2021-07-06T15:34:37.034+0200 [DEBUG] core: generating local cluster certificate
2021-07-06T15:34:37.123+0200 [INFO]  core: post-unseal setup starting
2021-07-06T15:34:37.123+0200 [DEBUG] core: clearing forwarding clients
2021-07-06T15:34:37.123+0200 [DEBUG] core: done clearing forwarding clients
2021-07-06T15:34:37.155+0200 [INFO]  core: loaded wrapping token key
2021-07-06T15:34:37.155+0200 [INFO]  core: successfully setup plugin catalog: plugin-directory=
2021-07-06T15:34:37.156+0200 [INFO]  core: no mounts; adding default mount table
2021-07-06T15:34:37.227+0200 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2021-07-06T15:34:37.234+0200 [INFO]  core: successfully mounted backend: type=system path=sys/

continuation:

2021-07-06T15:34:37.235+0200 [INFO]  core: successfully mounted backend: type=identity path=identity/
2021-07-06T15:34:37.379+0200 [INFO]  core: successfully enabled credential backend: type=token path=token/
2021-07-06T15:34:37.379+0200 [INFO]  core: restoring leases
2021-07-06T15:34:37.379+0200 [INFO]  rollback: starting rollback manager
2021-07-06T15:34:37.379+0200 [DEBUG] expiration: collecting leases
2021-07-06T15:34:37.388+0200 [DEBUG] expiration: leases collected: num_existing=0
2021-07-06T15:34:37.395+0200 [DEBUG] identity: loading entities
2021-07-06T15:34:37.422+0200 [INFO]  expiration: lease restore complete
2021-07-06T15:34:37.423+0200 [DEBUG] identity: entities collected: num_existing=0
2021-07-06T15:34:37.424+0200 [INFO]  identity: entities restored
2021-07-06T15:34:37.424+0200 [DEBUG] identity: identity loading groups
2021-07-06T15:34:37.424+0200 [DEBUG] identity: groups collected: num_existing=0
2021-07-06T15:34:37.424+0200 [INFO]  identity: groups restored
2021-07-06T15:34:37.437+0200 [INFO]  core: post-unseal setup complete
2021-07-06T15:34:37.455+0200 [INFO]  core: root token generated
2021-07-06T15:34:37.456+0200 [INFO]  core: pre-seal teardown starting
2021-07-06T15:34:37.456+0200 [DEBUG] expiration: stop triggered
2021-07-06T15:34:37.456+0200 [DEBUG] expiration: finished stopping
2021-07-06T15:34:37.456+0200 [INFO]  rollback: stopping rollback manager
2021-07-06T15:34:37.457+0200 [INFO]  core: pre-seal teardown complete
2021-07-06T15:35:04.360+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:35:04.362+0200 [DEBUG] core: cannot unseal, not enough keys: keys=1 threshold=3 nonce=6c761cbd-233d-8b9b-5d8f-16eddc426f3c
2021-07-06T15:35:13.862+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:35:23.860+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:35:33.862+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:35:43.959+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:35:53.860+0200 [DEBUG] core: unseal key supplied
2021-07-06T15:36:03.959+0200 [DEBUG] core: unseal key supplied

And so on...
Any idea on how to debug?

on other environments (same deployment), the not enough key for 2 keys and with three keys it starts
but not here...
serokles
@serokles
Encountered an issue recently with our Vault/Consul setup whereby the consul instances ran out of burstcredits for their EBS volumes. Mistakes made - tighten up monitoring, retune some volumes etc. But it made me wonder what and when does vault flush to disk on the consul servers? I understand when I create policies and add secrets but what we had was a period of heavy batch processing logging in to vault lots (and lots of aws auth and cred creation). Just trying to get a better handle of what it ends up writing to disk so I can make a more informed decision around sizing the disks etc
higuita
@higuita:matrix.org
[m]
probably it was consul updating the cluster and service state in disk, vault do little IO access, AFAIK
of course, changing the K/V will also make consul use disk (assuming vault is using consul as storage)
gc-ss
@gc-ss
@serokles What kind of EC2 instances were they? What are the default IOPs they have? What else was also running on those instances in addition to consul, vault?
jmls
@jmls

Would like some feedback to make sure my understanding of using AppRoles in a "best practice" scenario

1) No process should know both the roleId and secretId
2) "worker" process should have a policy that allows for the creation of a wrapped single-use secretId for a role name
3) "runner" process knows the roleId and is told of the wrapped secretId by the "worker"
4) runner requests that a secretId be unwrapped in order to get the actual secretId
5) runner logs in using the roleId and secretId

in order to achieve these steps

a) the "worker" process needs to be able to authenticate in order to get a token that has the policy attached. This would require a separate roleId and secret Id (possibly hardcoded)
b) the roleId has to be injected into the "runner" somehow - but in order to get the roleId, this "somehow" process must also authenticate to vault in order to read the roleId from the roleName. This would require a separate roleId and secret Id (possibly hardcoded)

TLDR; In order for a process to be able to login to an appRole, it needs a roleId and secretId, each of which has been generated by separate processes, each of which need their own appRole Id and secretId .

Is this right ?

Thiago Lima
@tavlima
Hey, folks. Any tips on troubleshooting the message [ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=...in the vault-agent-init container, while trying to setup Vault Agent injection in k8s? (using an external Vault server)
bbigras
@bbigras:matrix.org
[m]
Any way to use vault ssh with ProxyCommand so I can use ssh normally?
sgtang
@sgtang
Hi all, the vault secrets tune documents state "The argument corresponds to the PATH where the secrets engine is enabled, not the TYPE!". Is there a way to increase the default-lease-ttl for the type of secret engine instead? i.e. all PKI mounts have default lease ttl of 60 days, etc.
Evil Mog
@Evil_Mog_twitter
hey folks, quick question, I know cloud auto unseal only works for AWS and Azure, is there an SDK or documentation around that process from a development perspective. I'd like to enable auto unseal with IBM Cloud KMS vault so we can eliminate our AWS auto unseal vault that just unseals our IBM Cloud vaults while still using the open source
Shaun Plumb
@shaunplumb

I'm having some issues with my vault server and have tried several things without any luck. I'm having what appears to be an infinite loop of being stuck in trying to revoke leases and was hoping somebody could provide me some type of guidance on how to fix this issue...

This problem has also led my server to seal itself daily and caused issues with the backup server taking over, so unless I unseal 1 of my servers daily the 2nd day both are sealed and everything has to be resynced to work fully again. I believe it is all related to the revoking of leases, but I have copied the error below (with some of the path / log obviously modified. There are many different full paths for the lease it is trying to revoke so it's not just one, but many of them...

2021-07-27T13:54:07.286Z [ERROR] expiration: failed to revoke lease: leaseid=pki/issue/__/___ error="failed to revoke entry: resp: (*logical.Response)(nil) err: error encountered during CRL building: error storing CRL: ValidationException: Item size has exceeded the maximum allowed size

Of note:
I'm running 2 vault servers behind load balancers with a dynamodb storage in AWS. I have tried forcing revoking without luck and I have also even tried to use the tidy API, which has been running for probably 18 hours as I tried to run it again today and it said tidy was already in process (which may be the reason today was the first day in a while that it did not seal on it's own)

Any help on how to force these to go away would be great so I can get these servers back to being stable

Yoan Blanc
@greut
oh hi, using vault agent I'd like to output the Vault token part of a template, is it doable or should I add another level of indirection?
I kind of need VAULT_TOKEN=... instead of the raw token in the file.
jmls
@jmls

so, according to the docs (https://www.vaultproject.io/api-docs/auth/token) there is only one method to lookup a token .. a post to /auth/token/lookup. However, in the swagger output of vault (curl http://127.0.0.1:8200/v1/sys/internal/specs/openapi) there is also a "get" on /auth/token/lookup

is this a) undocumented , b) deprecated or c) a mistake ? ;)

Noe Jafir Quiroz Mendez
@JafirQuiroz

I am having an issue with kubernetes (1.20) EKS, connecting to an external vault It seems that I unable to authenticate:

2021-08-17T18:36:31.184Z [INFO]  auth.handler: authenticating
2021-08-17T18:37:31.185Z [ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=3m54.59s

I already did some research but anytthing its working.
These are the link with a similar log output that mine:
hashicorp/vault-helm#562

0x5ECF4ULT
@0x5ecf4ult:fairydust.space
[m]
Hi. I'm trying to set up Traefik CE with Vault PKI. Unfortunately, I'd have to buy Traefik Enterprise to get built-in Vault support. I don't want to do that.
Now, what's the proper way to accomplish the same in with Traefik CE and my Docker Swarm environment? I've read somewhere that cron containers or vaultbot could be of help, altho I'm not sure if this is the right thing for me.
I hope this is the right place to ask.
jmls
@jmls

according to hashicorp/vault#2113 , "Vault treats POST and PUT interchangeably!". Is this still true ?

if I'm working to the swagger / openapi docs created by vault, if I'm wanting to write to an api should I use CREATE or UPDATE as the capability required ?

for example, the userpass create/update user docs (https://www.vaultproject.io/api-docs/auth/userpass) specifies

Create/Update User
Create a new user or update an existing user. This path honors the distinction between the create and update capabilities inside ACL policies.

so do I enable CREATE and UPDATE as two separate capabilities ? or ddoes the 2113 issue hold true and either will work ?

timclassic
@tim:stoo.org
[m]
Hi. Is it possible to set num_uses on a token generated as a result of an auth method? It's not obvious to me yet how to do this based on reading the docs.
sgtang
@sgtang
We have LDAP authentication with Duo 2FA set up on our Vault cluster which has been running without issues (for most users). One of our users isn't getting the Duo Push and is receiving the error "Authentication failed: TypeError: Failed to fetch" after logging in with the correct credentials. Has anyone seen that error in particular before? I don't notice anything glaring in the server side logs. Thanks
1 reply
Aron Gates
@agates4
hello
i am attempting to recursively traverse the secret map and output it all into a yml file

i am using the templater with the sidecar in my helm chart

    {{- with $deployment.secrets }}
      {{- range $key, $value := . }}
        vault.hashicorp.com/agent-inject-secret-{{ $key }}.yml: {{ $value }}
        vault.hashicorp.com/agent-inject-template-{{ $key }}.yml: |
          {{ printf `{{- with secret "%s" -}}
            {{- range $secretKey, $secretValue := .Data.data }}
              {{ $secretKey }}: {{ $secretValue }}
            {{- end }}
          {{- end }}` $value }}
      {{- end }}
    {{- end }}

this will only result in top level yml file, result looks like:

    test1: map[test2:test2]
    test3: test3

where i would expect the test1 key to map to a nested key value

any ideas?

Aron Gates
@agates4
solution
    {{- with $deployment.secrets }}
      {{- range $key, $value := . }}
        vault.hashicorp.com/agent-inject-secret-{{ $key }}.json: {{ $value }}
        vault.hashicorp.com/agent-inject-template-{{ $key }}.json: |
          {{ printf `{{- with secret "%s" -}}
            {{- .Data | toJSONPretty }}
          {{- end }}` $value }}
      {{- end }}
    {{- end }}
greg-hunt1
@greg-hunt1
Can you use more than 1 tag for cloud auto-join
springroll12
@springroll12
Hello. When using the ssh engine to generate an ssh CA signing certificate, is it safe to store the public certificate in git? I assume not and that this certificate must be protected?
For reference I am trying to figure out how to propagate the public cert to the servers I wish to SSH into
springroll12
@springroll12
Also, is it best practice to separate out the CAs for ssh certificates per environment or client?
Robert Goldsmith
@far-blue
@springroll12 I'm not quite sure what you are referring to. However, the public part of the CA which should be copied to the servers should, I think, be safe to store unprotected because it's only used to validate a signature, not create them. The private part is kept in Vault. The same with the certs generated for each ssh key because, again, they are public signatures.
Robert Goldsmith
@far-blue
How you structure your CAs comes down to how you want to control access to servers. We do it by conceptual role with most servers limited to the ops team and then a small number also accessible by dev teams. Each team maps to a CA. Then ansible controls which server CA certs are installed on each machine and, therefore, which servers each team can access
but you could also have a single CA and then use the existence of a user account on the server to control whether a user can actually login, for instance.
Robert Goldsmith
@far-blue
Changing topic, does anyone know if Nomad can accept a wrapped vault token rather than a plain one as part of job submission?
johnny101
@johnny101:matrix.org
[m]
We seem to be hitting an issue with token rotation and the consul-agent token in our Nomad cluster while using Vault for token management. I described the setup and the issue here: https://github.com/hashicorp/nomad/issues/9813#issuecomment-930456285. If anyone has any feedback, that would be appreciated, thanks!
prajwalsrinivasa
@prajwalsrinivasa
Hello Guys, does anyone moved from Vault which is running on VMs to Vault on K8s
Roi Ezra
@ezraroi
Hi Guys, qq.. is there a way to view a metric that can tell how many 5xx or any other status codes vault API returns? We see that sometimes Vault is failing to renew a lease against AWS from some reason and returns 502... we could not find any way to know how many times it happens... Also the audit log does not contain the status code of the request. Any idea
cru5ader
@cru5ader:matrix.org
[m]
Hi Guys, I don't chage my settings in Vault to work with TLS. Errors like this: http: TLS handshake error from 127.0.0.1:53908 tls: client didn't provide a certificate
greg-hunt1
@greg-hunt1
I have a Chicken and Egg question. Can I create an RDS instance in Terraform and have vault generate and secure the original password so that I can use Terraform to then setup a vault user for dynamic credentials
Michael Aldridge
@the-maldridge
I think the short answer there is "no"
you could probably kludge something, but it won't be stable
tomiles
@tomiles
Is there a way to disable implicit entities creation? So only allow pre-added entities/aliases?
Sort of as a authorization whitelist for oidc auth, only handing tokens to this preapproved user list.
tomiles
@tomiles
To answer my own question, I solved it by setting the authorized user list with ‘bound_claims’ in the oidc role configuration
alwaysastudent
@alwaysastudent
hi folks, is there an api or command to verify the effective system max_lease_ttl on vault?
want to make sure if the settings in the hcl file have been picked up