Closed get2arun closed 2 years ago
did you have any luck with this issue?
It looks like the JWT you're using to login is not for one of the configured bound service accounts on that role.
However, the app1-role
specified in payload.json is only configured for the service accounts default
and app1
:
vault write "auth/ocp/role/app1-role" bound_service_account_names="default,app1" bound_service_account_namespaces="vault-demo" policies="app1-policy" ttl=1h
To successfully log in, you would need to use a JWT from one of those 2 service accounts.
Hope that helps, sorry for the long delay.
I am facing issue login to openshift approle created using kubernetes auth method for vault authentication.
This could be similar or same issue in the below URL, https://github.com/hashicorp/vault-plugin-auth-kubernetes/issues/49
I have vault running in minishift, exactly following this url, https://medium.com/hashicorp-engineering/vault-kubernetes-auth-method-for-openshift-9b9155590a6d?
In the openshift side, executed the below commands.
Create OC project and token reviewer JWT:
oc login -u system:admin oc new-project vault-demo oc projects oc create sa vault-auth
Create Cluster role binding for vault-auth
oc adm policy add-cluster-role-to-user \ system:auth-delegator system:serviceaccount:vault-demo:vault-auth oc serviceaccounts get-token vault-auth > reviewer_sa_jwt.txt
Lets create two more serviceaccounts for applications
oc create sa app1 oc create sa app2 my vault addr is like below.
~/github/hashitvault$ echo $VAULT_ADDR http://vault-myproject.192.168.42.186.nip.io
I am seeing the below error when login to "$VAULT_ADDR/v1/auth/ocp/login"
desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login" {"errors":["service account name not authorized"]}
below are the vault commands executed as part of this exercise
desktop-e470:~/hashitvault$ vault policy write app1-policy app1-policy.hcl Success! Uploaded policy: app1-policy
desktop-e470:~/hashitvault$ cat app1-policy.hcl path "secret/app1" { capabilities = ["read", "list"] } path "database/creds/app1" { capabilities = ["read", "list"] }
desktop-e470:~/hashitvault$ vault policy read app1-policy path "secret/app1" { capabilities = ["read", "list"] } path "database/creds/app1" { capabilities = ["read", "list"] }
desktop-e470:~/hashitvault$ vault kv put secret/app1 username=app1 password=supasecr3t Key Value
created_time 2019-12-19T16:23:58.402322163Z deletion_time n/a destroyed false version 1
desktop-e470:~/hashitvault$ vault write "auth/ocp/config" \
desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" \
desktop-e470:~/hashitvault$ reviewer_jwt="$(cat reviewer_sa_jwt.txt)"
desktop-e470:~/hashitvault$ vault write "auth/ocp/config" token_reviewer_jwt="${reviewer_jwt}" kubernetes_host="http://192.168.42.186:8443" kubernetes_ca_cert=@/home/apurb/.minishift/ca.pem Success! Data written to: auth/ocp/config
desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" bound_service_account_names="default,app1" bound_service_account_namespaces="vault-demo" policies="app1-policy" ttl=1h Success! Data written to: auth/ocp/role/app1-role
desktop-e470:~/hashitvault$ curl -H "X-Vault-Token: s.hswgw3TIjDCTNmxbUSfT5hbP" \
cat payload.json { "role":"app1-role", "jwt":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1kZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LWF1dGgtdG9rZW4taHd4NjciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtYXV0aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjFjNDIxNWQyLTIyN2MtMTFlYS05YjZmLTUyNTQwMDk4YWMzOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp2YXVsdC1kZW1vOnZhdWx0LWF1dGgifQ.XzvbWRi2DUKnNzYoZYyJfKqHgQdxv8jg_75nHhmqTHAiYuz4-ABaqJokUTlrQGwsvw41V4rqEmc0CVF3MK_jgyUZzmpGnCNMySkRyYQw9TChhHUmOQDH9AKj6OOFcmAV811sQu9-qvVav4QlJPIW4cm6dHe-XHSNxuzqJ7OWScezqVDYaiWXBkcFpzEEisV6puXA7o5Npg-so2u0lW9bGEe9UP363ZyR3AYZ_rlZoRB-Gq7exGlN2TII0xUZDaBwbf9vDE_i3Zs_HFdNSBGsVFsG3-Xlw_iUTPTGTehDkSX7koYTT8GzjS9KR94TMVZdPLGH6txF4QfaRnWAvKgvOg" }
desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login" {"errors":["service account name not authorized"]}