search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
465 stars 543 forks source link

vault_generic_secret gives "no secrets found" when unauthorised #638

Open GiamPy5 opened 4 years ago

GiamPy5 commented 4 years ago

Terraform Version

v0.12.10

Affected Resource(s)

Please list the resources as a list, for example:

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = "database"
  name          = "postgres-${var.environment}"
  allowed_roles = [local.vault_provisioner_role, local.vault_consumer_role]

  postgresql {
    connection_url = "postgres://{{username}}:{{password}}@${aws_db_instance.tarchon.endpoint}/${var.db_name}"
  }

  data = {
    username = var.db_username
    password = random_password.password.result
  }

  depends_on = ["aws_db_instance.tarchon"]
}

resource "vault_database_secret_backend_role" "consumer" {
  backend             = "database"
  name                = local.vault_consumer_role
  db_name             = vault_database_secret_backend_connection.postgres.name
  creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"]
}

data "vault_generic_secret" "database_credentials" {
  path       = "database/creds/${local.vault_consumer_role}"
  depends_on = ["vault_database_secret_backend_role.consumer"]
}

Debug Output

2019-12-19T15:09:02.203Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: -----------------------------------------------------
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 2019/12/19 15:09:02 [DEBUG] Vault API Request Details:
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: ---[ REQUEST ]---------------------------------------
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: GET /v1/database/creds/tarchon-consumer-prd HTTP/1.1
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Host: <censored>:443
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: User-Agent: Go-http-client/1.1
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: X-Vault-Namespace: <censored>/devops/tarchon
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: X-Vault-Token: <censored>
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Accept-Encoding: gzip
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 
2019-12-19T15:09:02.204Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: -----------------------------------------------------
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 2019/12/19 15:09:02 [DEBUG] Vault API Response Details:
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: ---[ RESPONSE ]--------------------------------------
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: HTTP/1.1 403 Forbidden
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Content-Length: 60
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Cache-Control: no-store
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Content-Type: application/json
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: Date: Thu, 19 Dec 2019 15:09:02 GMT
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: {
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4:  "errors": [
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4:   "1 error occurred:\n\t* permission denied\n\n"
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4:  ]
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: }
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: 
2019-12-19T15:09:02.210Z [DEBUG] plugin.terraform-provider-vault_v2.7.0_x4: -----------------------------------------------------
2019/12/19 15:09:02 [ERROR] <root>: eval: *terraform.EvalReadData, err: no secret found at "database/creds/tarchon-consumer-prd"
2019/12/19 15:09:02 [ERROR] <root>: eval: *terraform.EvalSequence, err: no secret found at "database/creds/tarchon-consumer-prd"
2019/12/19 15:09:02 [TRACE] [walkApply] Exiting eval tree: data.vault_generic_secret.database_credentials
2019/12/19 15:09:02 [TRACE] vertex "data.vault_generic_secret.database_credentials": visit complete

Panic Output

No panic output.

Expected Behavior

No permission denied should be given as Terraform response.

Actual Behavior

No secrets found was returned from Terraform.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create an entity with a policy that does not have access to read from database/creds/:role.
  2. Read the credential using vault_generic_secret.
  3. terraform apply

Important Factoids

None.

References

None.

digitalray commented 1 year ago

I am seeing a similar problem with authenticating via approle.

provider "vault" {
  address = "https://redacted"
  skip_child_token = true

  auth_login {
    path = "auth/approle/login"
    parameters = {
      role_id: "redacted"
      secret_id: "redacted"
    }
  }
}

data "vault_generic_secret" "secret" {
  path = "kv-v1/application/nonprod/ID123/test"
}

When trying to retrieve the secret via some_key = data.vault_generic_secret.secret.data["some_key"], I am getting the following error.

ails:
---[ REQUEST ]---------------------------------------
GET /v1/sys/internal/ui/mounts/kv-v1/application/nonprod/ID123/test HTTP/1.1
Host: vault.ssnc-corp.cloud
User-Agent: Go-http-client/1.1
X-Vault-Request: true
X-Vault-Token: hmac-sha256:redacted
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-21T11:42:19.636-0700
2023-06-21T11:42:19.729-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 11:42:19 [DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Content-Length: 33
Cache-Control: no-store
Content-Type: application/json
Date: Wed, 21 Jun 2023 18:42:19 GMT
Strict-Transport-Security: max-age=16070400

-----------------------------------------------------: timestamp=2023-06-21T11:42:19.728-0700
2023-06-21T11:42:19.729-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 11:42:19 [DEBUG] Vault API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/kv-v1/application/nonprod/ID123/test HTTP/1.1
Host: vault.ssnc-corp.cloud
User-Agent: Go-http-client/1.1
X-Vault-Request: true
X-Vault-Token: hmac-sha256:redacted
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-21T11:42:19.729-0700
2023-06-21T11:42:19.819-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 11:42:19 [DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Content-Length: 33
Cache-Control: no-store
Content-Type: application/json
Date: Wed, 21 Jun 2023 18:42:19 GMT
Strict-Transport-Security: max-age=16070400

Please note that terraform is able to authenticate and gain a token via approle creds; however, it cannot get the data from the key path. I've also tried with namespace in both the auth_login block and in provider at the same time but it did not help. Writing a quick java app to validate the api call to /v1/kv-v1/application/nonprod/ID123/test after approle authentication and token succeeds.

digitalray commented 1 year ago

When I try the same path with non approle authentication, everything works as expected

provider "vault" {
address = "https://redacted"
skip_child_token = true
auth_login {
  path = "auth/ldap/login/${var.VAULT_USER }"
  parameters = { password: var.VAULT_PASSWORD }
  }
}

data "vault_generic_secret" "ssccloud_api_key" {
  path = "kv-v1/application/nonprod/ID123/test"
}

provider "ssccloud" {
  api_key = data.vault_generic_secret.ssccloud_api_key.data["api_key"]
}

---[ REQUEST ]---------------------------------------
GET /v1/sys/internal/ui/mounts/kv-v1/application/nonprod/ID123/testHTTP/1.1
Host: vault.ssnc-corp.cloud
User-Agent: Go-http-client/1.1
X-Vault-Request: true
X-Vault-Token: hmac-sha256:redacted
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-21T16:52:33.280-0700
2023-06-21T16:52:33.393-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 16:52:33 [DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Content-Length: 454
Cache-Control: no-store
Content-Type: application/json
Date: Wed, 21 Jun 2023 23:52:33 GMT
Strict-Transport-Security: max-age=16070400

-----------------------------------------------------: timestamp=2023-06-21T16:52:33.392-0700
2023-06-21T16:52:33.394-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 16:52:33 [DEBUG] Vault API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/kv-v1/application/nonprod/ID123/testHTTP/1.1
Host: vault.ssnc-corp.cloud
User-Agent: Go-http-client/1.1
X-Vault-Request: true
X-Vault-Token: hmac-sha256:redacted
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-21T16:52:33.393-0700
2023-06-21T16:52:33.504-0700 [INFO]  provider.terraform-provider-vault_v3.16.0_x5: 2023/06/21 16:52:33 [DEBUG] Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Content-Length: 513
Cache-Control: no-store
Content-Type: application/json
Date: Wed, 21 Jun 2023 23:52:33 GMT
Strict-Transport-Security: max-age=16070400