Closed onetwopunch closed 4 years ago
Figured it out. Turns out that both the vault executable and the plugin need to have cap_ipc_lock
set even if systemd specifes keep-caps
. To fix this I simply did:
/sbin/setcap cap_ipc_lock=+ep /etc/vault.d/plugins/my-vault-plugin
I think this edge case should be added to the Vault docs so I'll go ahead and add an issue there to track it.
I've been working with a custom Vault plugin and keep running into this error that I've traced back here:
I'm not sure if this is a Vault thing or something I'm missing but simply put I have a Vault systemd service that is running as a new user
vault
which owns all the config files as well as the plugin directory and executable. This works fine until I want to use my plugin. I can register the plugin just fine, but then when I try to configure it, I get the above error. The weird thing is that when I update the systemd service file to run as root, everything works perfectly.For context, here is the systemd service file I'm trying to use.
Obviously I don't want to run Vault as root, but I still want to use this plugin. Can someone help me understand what linux permissions or capabilities I'd need to use a plugin in production as a non-root user?
At the very least I think this deserves looking into from an error point of view since the error message is probably hiding some underlying permissions error if I can run this as root but not as an unprivileged user.