search

hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
207 stars 61 forks source link

vault kubernetes auth error - service account name not authorized #79

Closed get2arun closed 2 years ago

get2arun commented 4 years ago

I am facing issue login to openshift approle created using kubernetes auth method for vault authentication.

This could be similar or same issue in the below URL, https://github.com/hashicorp/vault-plugin-auth-kubernetes/issues/49

I have vault running in minishift, exactly following this url, https://medium.com/hashicorp-engineering/vault-kubernetes-auth-method-for-openshift-9b9155590a6d?

In the openshift side, executed the below commands.

Create OC project and token reviewer JWT:

oc login -u system:admin oc new-project vault-demo oc projects oc create sa vault-auth

Create Cluster role binding for vault-auth

oc adm policy add-cluster-role-to-user \ system:auth-delegator system:serviceaccount:vault-demo:vault-auth oc serviceaccounts get-token vault-auth > reviewer_sa_jwt.txt

Lets create two more serviceaccounts for applications

oc create sa app1 oc create sa app2 my vault addr is like below.

~/github/hashitvault$ echo $VAULT_ADDR http://vault-myproject.192.168.42.186.nip.io

I am seeing the below error when login to "$VAULT_ADDR/v1/auth/ocp/login"

desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login" {"errors":["service account name not authorized"]}

below are the vault commands executed as part of this exercise

desktop-e470:~/hashitvault$ vault policy write app1-policy app1-policy.hcl Success! Uploaded policy: app1-policy

desktop-e470:~/hashitvault$ cat app1-policy.hcl path "secret/app1" { capabilities = ["read", "list"] } path "database/creds/app1" { capabilities = ["read", "list"] }

desktop-e470:~/hashitvault$ vault policy read app1-policy path "secret/app1" { capabilities = ["read", "list"] } path "database/creds/app1" { capabilities = ["read", "list"] }

desktop-e470:~/hashitvault$ vault kv put secret/app1 username=app1 password=supasecr3t Key Value

created_time 2019-12-19T16:23:58.402322163Z deletion_time n/a destroyed false version 1

desktop-e470:~/hashitvault$ vault write "auth/ocp/config" \

token_reviewer_jwt="${reviewer_jwt}" \ kubernetes_host="http://192.168.42.186:8443" \ kubernetes_ca_cert=@/home/apurb/.minishift/ca.pem Success! Data written to: auth/ocp/config

desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" \

bound_service_account_names="default,app1" \ bound_service_account_namespaces="vault-demo" \ policies="app1-policy" ttl=1h Success! Data written to: auth/ocp/role/app1-role

desktop-e470:~/hashitvault$ reviewer_jwt="$(cat reviewer_sa_jwt.txt)"

desktop-e470:~/hashitvault$ vault write "auth/ocp/config" token_reviewer_jwt="${reviewer_jwt}" kubernetes_host="http://192.168.42.186:8443" kubernetes_ca_cert=@/home/apurb/.minishift/ca.pem Success! Data written to: auth/ocp/config

desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" bound_service_account_names="default,app1" bound_service_account_namespaces="vault-demo" policies="app1-policy" ttl=1h Success! Data written to: auth/ocp/role/app1-role

desktop-e470:~/hashitvault$ curl -H "X-Vault-Token: s.hswgw3TIjDCTNmxbUSfT5hbP" \

"${VAULT_ADDR}/v1/secret/data/app1" {"request_id":"06846c6f-7405-19f0-971b-f4715ae7b180","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"password":"supasecr3t","username":"app1"},"metadata":{"created_time":"2019-12-19T16:23:58.402322163Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}

cat payload.json { "role":"app1-role", "jwt":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1kZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LWF1dGgtdG9rZW4taHd4NjciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtYXV0aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjFjNDIxNWQyLTIyN2MtMTFlYS05YjZmLTUyNTQwMDk4YWMzOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp2YXVsdC1kZW1vOnZhdWx0LWF1dGgifQ.XzvbWRi2DUKnNzYoZYyJfKqHgQdxv8jg_75nHhmqTHAiYuz4-ABaqJokUTlrQGwsvw41V4rqEmc0CVF3MK_jgyUZzmpGnCNMySkRyYQw9TChhHUmOQDH9AKj6OOFcmAV811sQu9-qvVav4QlJPIW4cm6dHe-XHSNxuzqJ7OWScezqVDYaiWXBkcFpzEEisV6puXA7o5Npg-so2u0lW9bGEe9UP363ZyR3AYZ_rlZoRB-Gq7exGlN2TII0xUZDaBwbf9vDE_i3Zs_HFdNSBGsVFsG3-Xlw_iUTPTGTehDkSX7koYTT8GzjS9KR94TMVZdPLGH6txF4QfaRnWAvKgvOg" }

desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login" {"errors":["service account name not authorized"]}

rishi1111 commented 3 years ago

did you have any luck with this issue?

tomhjp commented 2 years ago

It looks like the JWT you're using to login is not for one of the configured bound service accounts on that role.

[Decoding the JWT](https://gchq.github.io/CyberChef/#recipe=JWT_Decode()&input=ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjJZWFZzZEMxa1pXMXZJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJblpoZFd4MExXRjFkR2d0ZEc5clpXNHRhSGQ0TmpjaUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNXVZVzFsSWpvaWRtRjFiSFF0WVhWMGFDSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRmpOREl4TldReUxUSXlOMk10TVRGbFlTMDVZalptTFRVeU5UUXdNRGs0WVdNek9TSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHAyWVhWc2RDMWtaVzF2T25aaGRXeDBMV0YxZEdnaWZRLlh6dmJXUmkyRFVLbk56WW9aWXlKZktxSGdRZHh2OGpnXzc1bkhobXFUSEFpWXV6NC1BQmFxSm9rVVRsclFHd3N2dzQxVjRycUVtYzBDVkYzTUtfamd5VVp6bXBHbkNOTXlTa1J5WVF3OVRDaGhIVW1PUURIOUFLajZPT0ZjbUFWODExc1F1OS1xdlZhdjRRbEpQSVc0Y202ZEhlLVhIU054dXpxSjdPV1NjZXpxVkRZYWlXWEJrY0ZwekVFaXNWNnB1WEE3bzVOcGctc28ydTBsVzliR0VlOVVQMzYzWnlSM0FZWl9ybFpvUkItR3E3ZXhHbE4yVElJMHhVWkRhQndiZjl2REVfaTNac19IRmROU0JHc1ZGc0czLVhsd19pVVRQVEdUZWhEa1NYN2tvWVRUOEd6alM5S1I5NFRNVlpkUExHSDZ0eEY0UWZhUm5XQXZLZ3ZPZw) gives a service account name of vault-auth.

However, the app1-role specified in payload.json is only configured for the service accounts default and app1:

vault write "auth/ocp/role/app1-role" bound_service_account_names="default,app1" bound_service_account_namespaces="vault-demo" policies="app1-policy" ttl=1h

To successfully log in, you would need to use a JWT from one of those 2 service accounts.

Hope that helps, sorry for the long delay.