Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 22:32
    Lexman42 synchronize #6144
  • Jan 31 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 22:14
    madalynrose synchronize #6129
  • Jan 31 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 22:14
    madalynrose synchronize #6129
  • Jan 31 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 22:07
    jefferai closed #6135
  • Jan 31 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 22:02
    madalynrose synchronize #6129
  • Jan 31 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 21:42
    Lexman42 opened #6145
  • Jan 31 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 21:31
    chrishoffman milestoned #6144
  • Jan 31 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 21:06
    Lexman42 opened #6144
  • Jan 31 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 21:00
    Lexman42 closed #6143
Jason W
@jasonwilliams14
any suggestions for setting up vault to hold a couple of private SSH keys? Purely for testing something out, but looking how to manually 'shove' some private keys into vault.
drewmullen
@drewmullen
if theyre static keys then you should just put them into kv backend @jasonwilliams14
Jason W
@jasonwilliams14
@drewmullen thanks. i'll give that a shot
Florian Wiech
@florianwiech
Hi everyone, the vault demo (http://demo.vaultproject.io/) is currently unavailable. Has the downtime a known end?
Jason Witkowski
@jwitko

Hey All, I have a vault cluster (0.11.5) that is using consul as a backend. I am having an issue where applications which query vault to retrieve database credentials are often receiving TLS handshake timeouts. There are 3 vault servers and 7 consul. There is no resource utilization issues at all, the clusters are way over-provisioned. I cannot for the life of me figure out why we're seeing these timeouts and I'm wondering if anyone here can point me in the right direction?
vault log errors:

Oct  7 04:28:06 vault1 vault: 2019-10-07T04:28:06.242Z [INFO]  http: TLS handshake error from 10.4.18.33:57042: EOF
Oct  7 08:08:26 vault1 vault: 2019-10-07T08:08:26.241Z [INFO]  http: TLS handshake error from 10.4.17.31:46010: EOF

application errors:

2019-10-06 19:44:57] app.ERROR: Connect to the Vault failed in (2.186 s): timed out before SSL handshake [] []
[2019-10-07 01:44:00] app.ERROR: Connect to the Vault failed in (5.014 s): Resolving timed out after 1510 milliseconds [] []
Vault, Consul, and the application are all within the same private network on a cloud provider
TLS is being terminated on the vault servers and dns to the vault hostname is being done via consul
Jason Witkowski
@jwitko
To add some info to the above, the issue appears to be that sometimes requests to vault take a few seconds. it appears about 2-3% of HTTPS requests take >1.5s
the application is then timing out the TLS handshake and that is why I see the above errors
So my new question is what could be causing vault to have such a high response time intermittently
Jeffrey Hogan
@jeffwecan
@matrixbot: Obviously not quite the same configuration, but I have done used an AWS-hosted Vault cluster backing some Heroku apps. I'm curious to hear what you had in mind. One of the convenient elements of having a Vault cluster hosted at AWS is that Heroku offers some (enterprise-only) options in the form of "private spaces" that allow you to peer a Heroku-managed VPC with a VPC at AWS. So in my case, that setup allowed for Heroku -> Vault communication over private subnets...
Jason W
@jasonwilliams14

hey folks. Working on getting a policy setup in vault. Nothing to fancy, just getting down the basics. I created a very simple policy
`path "kv/*" {
capabilities = ["read", "create"]
}

path "secrete/data/*" {
capabilities = ["create", "read"]
} `
been testing with KV now. However, after creating, applying and generating a token for this policy. Still getting permission denied.

Error listing kv/metadata: Error making API request.

URL: GET http://10.0.1.5:8200/v1/kv/metadata?list=true
Code: 403. Errors:

  • 1 error occurred:
      * permission denied
oof...i'll work on formatting
my gut tells me the path is wrong
drewmullen
@drewmullen
secrete <- typo? secret ?
Jason W
@jasonwilliams14
@drewmullen yea, type when i was cutting/pasting on the line here. Double checked and it is correct.
drewmullen
@drewmullen
:)
Jason W
@jasonwilliams14
i did try creating a new secrets engine (KV), and wrap a policy around that, but still no dice...but
i was able to put a secret in the engine, but i cant seem to get it
drewmullen
@drewmullen
you have both secret and kv, did you verify the name vault secrets list —detailed?
Jason W
@jasonwilliams14
yea
i created a new test one just called 'cloud'
hmmm....wonder if i am stepping on myeslf...let me try something
no dice. :( Basically, i created a new secret KV engine called Cloud. I created this simple policy
path "cloud/*" {
  capabilities = ["read", "create"]
}
created a new dev-policy
drewmullen
@drewmullen
can i see your execution, remove your token
Jason W
@jasonwilliams14
i was setting the token via export
when you say execution, you mean the command i am running to try and view/get the secret?
drewmullen
@drewmullen
~yes~ no to set the policy
Jason W
@jasonwilliams14
vault kv list cloud/
which gives me this error

```Error listing cloud/metadata/sshkeys: Error making API request.

URL: GET http://10.0.1.5:8200/v1/cloud/metadata/sshkeys?list=true
Code: 403. Errors:

  • 1 error occurred:
      * permission denied
    ```
drewmullen
@drewmullen
what is your problem? are you unable to read a secret you created or not able to write a policy?
Jason W
@jasonwilliams14
bah..sorry for formatting
i get permission denied
not able to retrieve the secret
making me scratch my head for sure
ok...now im confused
this works
vault kv get cloud/sshkeys/xmas
i can get the secret
so maybe i am confused on permissions to list the 'structure' of the secret path
Jason W
@jasonwilliams14
thats it..i was missing list
so i could retrieve the key, but i did not have list as my permission. I was confused why i could not see 'cloud' or 'cloud/sshkeys'
so my policy is now this
drewmullen
@drewmullen
:+1:
Jason W
@jasonwilliams14
path "cloud/*" { capabilities = ["read", "create", "list"] }
thx @drewmullen appreciate the extra pair of eyes
Aliaksandr Parfianiuk
@frombrest
Hi there, Guys could you help me? How can I make my dynamic credentials from postgresql-database-plugin nonrenewable?