Config Venafi secret with access_token and refresh_token, only work once. After that session, 400 error

[jimfang]

PROBLEM SUMMARY Using below commands to config Venafi secrets, it works properly with username and password for all time but only work once with access token and refresh token for that session. While doing the same command again with the same access token and refresh token, it gives 400 bad request. The access token validity for 90 days and refresh token is enabled as well as the grant expiration is upto 365 days which is TPP defaults, also we are using the default API application integration

vault write pki/venafi/tpp url="https://<;TPP_URL>" trust_bundle_file="/target_path/bundle.pem" access_token="" refresh_token="" OR vault write pki/venafi/tpp url="https://<;TPP_URL>" trust_bundle_file="/target_path/bundle.pem" tpp_user="**" tpp_password="***"

STEPS TO REPRODUCE

1. create a new user in Venafi for vault to use
2. fetch access_token and refresh token with client id in a client
3. run vault command "vault write pki/venafi/...... access_token=, refresh_token="
4. issue a certificate in vault (works fine as config auth successfully)
5. after session expired or timeout, run vault command "vault write pki/venafi/...... access_token=, refresh_token="
6. 400 BAD request

EXPECTED RESULTS Venafi secrets is configured successfully every time no matter user/password or access_token/refresh_token

ACTUAL RESULTS access_token and refresh_token only worked once

ENVIRONMENT DETAILS Vault setup in the docker container of laptop TPP server hosted on DEV VM Server

COMMENTS/WORKAROUNDS Every time before config, regenerate a new acess_token and refresh_token.

[ricrodriguezg]

Hello @jimfang this behavior is expected, by supplying a refresh_token the secrets engine is able to automatically obtain new tokens and operate without interruption whenever the access_token expires, normally you should not have to perform any other configuration related to access/refresh tokens in order to issue/import certificates to Trust Protection Platform unless you need to modify the Venafi Secret then it may require you to provide a new access_token and refresh_token (i.e. depending upon whether the original set of tokens has been refreshed by the secrets engine plugin).

[jimfang]

Hi @ricrodriguezg , thanks very much for your quick reply. Consider one using scenario, there are 2+ Vault servers, connect to the same TPP server.

1. setup a service account in TPP for vault to use
2. fetch access_token/refresh token from TPP
3. One vault server configure Venafi secret using command "vault write pki/venafi/tpp .... "
4. Another vault server configure Venafi secret using the same command It will fail with error massage "Error writing data to pki/venafi/tpp: Error making API request. URL: PUT http://127.0.0.1:8200/v1/pki/venafi/tpp Code: 400. Errors:
   • invalid mode: apikey or tpp credentials or tpp access/refresh token required"

[jimfang]

Another using scenario is setting up vault with docker container. We did venafi secret config and play around. The next day, docker container stop/start, so we restart the instance and do the same configuration. Error 400 will appear.

[ricrodriguezg]

Hi @jimfang, regarding your first scenario, is this a vault cluster? if so, the configuration of the plugin can be applied in any of the instances of the cluster and that should automatically synchronize the changes to the other instances. If that is not the case and you are working with independent instances, you need to configure each instance with a different pair of tokens (refresh and access).

For the docker scenario, you should use a different pair of tokens once you perform a new configuration of the plugin since the original tokens would have likely been refreshed by it.

[jimfang]

Hi @ricrodriguezg, Thanks very much. For first scenario, it is two different vault instances/cluster. They are independent.

I got your point that token should be configured once and it is expected to use for long. Both scenarios need a different pair of tokens as long as running command again. I will notice the team and see if there is other issues after configure tokens.

[jimfang]

Hi @ricrodriguezg , there is an issue i found by using tokens to auth, the cert issued in vault cannot be seen in Venafi monitoring folder.

Environment: The service role in TPP, vault in my local are all the same. Using different ways to auth: 1. with tpp_user/tpp_password, 2. with access_token/refresh_token.

Reproduced steps:

1. config venafi auth with command: vault write pki/venafi/...... access_token=, refresh_token=
2. config policy map and setup internal CA as guide
3. issue a new cert with command: vault write pki/issue/venafi-role common_name="friday.dev.allowed.org" alt_names="friday-1.dev.allowed.org,friday-2.dev.allowed.org"
4. in Vault command. it shows cert issued successfully with correct cert and private key output
5. However, the cert "friday.dev.allowed.org" not shown in Venafi (refresh several time...) 6 ==============
6. config venafi auth with command: vault write pki/venafi/...... tpp_user="" tpp_password="
7. issue a new cert with command:vault write pki/issue/venafi-role common_name="friday.dev.allowed.org" alt_names="friday-1.dev.allowed.org,friday-2.dev.allowed.org"
8. in Vault command. it shows cert issued succesfully
9. the cert "friday.dev.allowed.org" shown in Venafi (refresh once after 1 second.)

Thanks.

[jimfang]

This is the parameters to fetch token. $Param = @{ "username" = “**_local” "password" = “*****” "client_id" = “hashicorp-vault-monitor-by-venafi” "scope" = “certificate:manage” }

[jimfang]

Hi @ricrodriguezg , i tried different scope to fetch token. The issue is solved. Thanks.

$Param = @{ "username" = “_local” "password" = “***” "client_id" = “hashicorp-vault-monitor-by-venafi” "scope" = “certificate:discover,manage” }