chiefy
commented
8 years ago @Mika56 what version of vault, vaulted and node are you running?
@kenjones-cisco any idea on this?
Closed Mika56 closed 8 years ago
chiefy
commented
8 years ago @Mika56 what version of vault, vaulted and node are you running?
@kenjones-cisco any idea on this?
kenjones-cisco
commented
8 years ago The nature of how Vault works, there are a couple of options enabled by default but not all options. You would need to actually mount the appid auth backend.
An example:
vaultServer.createAuthMount({
id: 'app-id',
body: {
type: 'app-id'
}
});Next you need to create the an actual app and user in order to make use of the login:
vaultServer.createApp({
id: 'fakeapp',
body: {
value: 'root',
display_name: 'TheFakeApp'
}
});
vaultServer.createUser({
id: 'fakeuser',
body: {
value: 'fakeapp'
}
});
vaultServer.appLogin({
body: {
app_id: 'fakeapp',
user_id: 'fakeuser'
}
});
Mika56
commented
8 years ago Hi,
I can't check my Node version (could be 0.12.x, 0.5 ou even 0.6...), but I'm sure I was on the latest version of vaulted, and Vault version 5 (though I've seen somewhere that it might not be officially supported?)
My Node application does not have a root token a cannot mount auth backend nor create apps and users. They were already mounted/created outside of my application. The only things my application knows is where the Vault server is, and what its appid and userid are. I don't see the point of giving root token to every one of my Node application.
kenjones-cisco
commented
8 years ago Because not all auth backends are enabled by default, assuming we have a token (it does not have to be the root token) with access to list available auth backends, we will handle making the APIs available for access. When mounting different backends, they can be mounted at different paths so we can't assume a specific path.
If the app and user are already created and mapped, then you would be able to perform appLogin using the appId and userId provided to you.
Mika56
commented
8 years ago So what, should I generate a token that can only list auth backends? It would seem easier to me to just tell Vaulted that there is an appid backend available at auth/app-id/. Any way to do so?
kenjones-cisco
commented
8 years ago There are currently only 2 ways to include the mounted endpoints, the first is by actually mounting using createAuthMount, and the other is we attempt to reload any already mounted endpoints by asking Vault for the list of mounted auth backends and mounted storage backends.
Never considered manually specifying endpoints to include. We can add that as an enhancement.
After calling vaultServer.prepare(), can you try the following to see if you can access the list w/o any extra tokens provided?
vaultServer.getAuthMounts().then(function (authMounts) {
console.log(authMounts);
});Hi,
I tried your code, but it wouldn't execute it because I didn't give a token. I disabled the security, but got an HTTP 400 error from the Vault server.
How hard would it be to tweak the code in order to "inject" the endpoints?
chiefy
commented
8 years ago @Mika56 closing this one out, feel free to comment if you have comments/concerns.
Hi,
I'm trying to connect to my Vault server using appid auth backend. I've enabled appid on my Vault server with success.
Now I'm trying to get vaulted to work, but I can't figure out what's wrong.
When running this code, I get the "Could not find endpoint: auth/app-id/login in API defintions" error. I've dumped
this.endpointsin api.js, and this is the result:I don't understand why auth/token endpoints seem registered, but not auth/appid endpoints?