MAAS

Fail to configure Vault Enterprise

Series 3.4
Bug #2028855

Bug #2028855 reported by Jacopo Rota on 2023-07-27

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Status tracked in 3.5
	3.4	Triaged	High	Igor Brovtsin	MAAS 3.4.x
	3.5	Triaged	High	Igor Brovtsin	MAAS 3.5.0

Bug Description

`sudo maas config-vault configure ....` always fails due to `CommandError: permission denied`.

Steps to reproduce:

1) get a vault ENTERPRISE server https://portal.cloud.hashicorp.com/sign-in (or get a local one)
2) configure the vault according to https://maas.io/docs/how-to-use-hashicorp-vault-with-maas
3) at the step 5 of the guide, run `vault write -wrap-ttl=60m -force auth/approle/role/$ROLE_NAME/secret-id` (atm there is a typo in the docs, do not run `vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id` as it's wrong)
4) the command `sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT` fails with `CommandError: permission denied...`

See original description

Revision history for this message

Jacopo Rota (r00ta) wrote on 2023-07-27:

#1

Problem is that we are creating the hvac client https://git.launchpad.net/maas/tree/src/maasserver/vault.py#n83 without any parameter, which results in permission denied of course.

description:

updated

Revision history for this message

Igor Brovtsin (igor-brovtsin) wrote on 2023-07-27:

#2

Are you sure there is a problem with hvac client initialization and not vault instance configuration?

Revision history for this message

Jacopo Rota (r00ta) wrote on 2023-07-27:

#3

I'm debugging and actually my issue is not at https://git.launchpad.net/maas/tree/src/maasserver/vault.py#n83 but at https://git.launchpad.net/maas/tree/src/maasserver/vault.py#n139 . Keep you posted

Revision history for this message

Jacopo Rota (r00ta) wrote on 2023-07-27:

#4

Looks like that for Vault enterprise the namespace is mandatory and we are not setting it in the Client configuration.

summary:	- Fail to configure Vault + Fail to configure Vault Enterprise
description:	updated

Revision history for this message

Igor Brovtsin (igor-brovtsin) wrote on 2023-07-27:

#5

As Jacopo figured out above, the issue is with approle login. While we could (and probably should) introduce a namespace parameter, we might also want to address the inability to use approle auth on a mountpoint different than the default value provided by hvac ("approle").

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.