search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.84k stars 287 forks source link

New Credential Store failed because of deprecated Vault token field check #1604

Open BrandonIngalls opened 2 years ago

BrandonIngalls commented 2 years ago

Describe the bug

Boundary throws an error message when you provide a vault token that does not use the deprecated period field.

To Reproduce

  1. Create a vault role for the credential store 
    [~]$ vault write auth/token/roles/boundary-cv-infra \
  allowed_policies=boundary-cv-infra \
  token_period=48h \
  orphan=true \
  token_type=service
Success! Data written to: auth/token/roles/boundary-cv-infra

  2. Create a vault token to give to boundary

    [~]$ vault token create -role boundary-cv-infra
Key                  Value
---                  -----
token                s.aaaaaaaaaaaaaaaaaaaaaaaa
token_accessor       22xJTqzjqy6gFNj6XiNeYsi5
token_duration       48h
token_renewable      true
token_policies       ["boundary-cv-infra" "default"]
identity_policies    []
policies             ["boundary-cv-infra" "default"]

# NOTE: The token does not have a `period` field
[~]$ vault token lookup -format=json s.aaaaaaaaaaaaaaaaaaaaaaaa
{
  "request_id": "1abeb012-96af-bf91-604f-4c38c4cfd1c2",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "accessor": "22xJTqzjqy6gFNj6XiNeYsi5",
    "creation_time": 1634273154,
    "creation_ttl": 172800,
    "display_name": "token",
    "entity_id": "",
    "expire_time": "2021-10-17T04:45:54.495810945Z",
    "explicit_max_ttl": 0,
    "id": "s.aaaaaaaaaaaaaaaaaaaaaaaa",
    "issue_time": "2021-10-15T04:45:54.495818449Z",
    "meta": null,
    "num_uses": 0,
    "orphan": true,
    "path": "auth/token/create/boundary-cv-infra",
    "policies": [
      "boundary-cv-infra",
      "default"
    ],
    "renewable": true,
    "role": "boundary-cv-infra",
    "ttl": 172028,
    "type": "service"
  },
  "warnings": null
}
  3. Try to create a credential store 
    Error
credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: vault token is not a periodic token, vault token issue: error #3011

Expected behavior

I think the Credential Store should get created since the token I created is periodic.

Additional context

I'm not 100% sure, but I think this might be related to this check https://github.com/hashicorp/boundary/blob/v0.6.2/internal/credential/vault/repository_credential_store.go#L237-L239

Boundary will create a credential store if you manually create a token using the deprecated period field.

# NOTE: Manually creating a token with the deprecated `period` option works
[~]$ vault token create -orphan=true -period=2h -policy=boundary-cv-infra 
Key                  Value
---                  -----
token                s.bbbbbbbbbbbbbbbbbbbbbbbb
token_accessor       e3w8rNmSapG3n9bpMaYG0X9j
token_duration       2h
token_renewable      true
token_policies       ["boundary-cv-infra" "default"]
identity_policies    []
policies             ["boundary-cv-infra" "default"]

# NOTE: the response has `period`
[~]$ vault token lookup -format=json s.bbbbbbbbbbbbbbbbbbbbbbbb
{
  "request_id": "8bc354b7-76b0-c5cd-6750-68751f5237b6",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "accessor": "e3w8rNmSapG3n9bpMaYG0X9j",
    "creation_time": 1634273854,
    "creation_ttl": 7200,
    "display_name": "token",
    "entity_id": "",
    "expire_time": "2021-10-15T06:57:34.648644267Z",
    "explicit_max_ttl": 0,
    "id": "s.bbbbbbbbbbbbbbbbbbbbbbbb",
    "issue_time": "2021-10-15T04:57:34.648649387Z",
    "meta": null,
    "num_uses": 0,
    "orphan": true,
    "path": "auth/token/create",
    "period": 7200,
    "policies": [
      "boundary-cv-infra",
      "default"
    ],
    "renewable": true,
    "ttl": 7186,
    "type": "service"
  },
  "warnings": null
}

Possibly related nomad PR https://github.com/hashicorp/nomad/pull/6574

grantorchard commented 2 years ago

Thanks Brandon, I ran into this too.

thanks4wifi commented 2 years ago

I just ran into this bug too, it looks like the period field was deprecated in Vault 1.2.0 (2019)

[~]$ vault version
Vault v1.11.2 (3a8aa12eba357ed2de3192b15c99c717afdeb2b5), built 2022-07-29T09:48:47Z

[~]$ vault path-help auth/token/roles/new-role | grep 'period (duration (sec))' -m 1 -A 3

    period (duration (sec))

        (DEPRECATED) Use 'token_period' instead.
thanks4wifi commented 8 months ago

still broken years later.