Fail to configure Vault Enterprise

Bug #2028855 reported by Jacopo Rota
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Status tracked in 3.5
3.4
Triaged
High
Igor Brovtsin
3.5
Triaged
High
Igor Brovtsin

Bug Description

`sudo maas config-vault configure ....` always fails due to `CommandError: permission denied`.

Steps to reproduce:

1) get a vault ENTERPRISE server https://portal.cloud.hashicorp.com/sign-in (or get a local one)
2) configure the vault according to https://maas.io/docs/how-to-use-hashicorp-vault-with-maas
3) at the step 5 of the guide, run `vault write -wrap-ttl=60m -force auth/approle/role/$ROLE_NAME/secret-id` (atm there is a typo in the docs, do not run `vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id` as it's wrong)
4) the command `sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT` fails with `CommandError: permission denied...`

Revision history for this message
Jacopo Rota (r00ta) wrote :

Problem is that we are creating the hvac client https://git.launchpad.net/maas/tree/src/maasserver/vault.py#n83 without any parameter, which results in permission denied of course.

description: updated
Revision history for this message
Igor Brovtsin (igor-brovtsin) wrote :

Are you sure there is a problem with hvac client initialization and not vault instance configuration?

Revision history for this message
Jacopo Rota (r00ta) wrote :
Revision history for this message
Jacopo Rota (r00ta) wrote :

Looks like that for Vault enterprise the namespace is mandatory and we are not setting it in the Client configuration.

summary: - Fail to configure Vault
+ Fail to configure Vault Enterprise
description: updated
Revision history for this message
Igor Brovtsin (igor-brovtsin) wrote :

As Jacopo figured out above, the issue is with approle login. While we could (and probably should) introduce a namespace parameter, we might also want to address the inability to use approle auth on a mountpoint different than the default value provided by hvac ("approle").

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.