search

hashicorp / vault-plugin-secrets-alicloud

Dynamic secrets for Alibaba Cloud.
Mozilla Public License 2.0
1 stars 8 forks source link

secret is missing inline_policies internal data #49

Open lonegunmanb opened 4 years ago

lonegunmanb commented 4 years ago

Hello there,

I followed docs and wrote the policy-based like doc, and create a lease:

$ vault read alicloud/creds/policy-based
Key                Value
---                -----
lease_id           alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ
lease_duration     768h
lease_renewable    true
access_key         LTAI4FtEqaL5JTy6hFvSdkAH
secret_key         pPkGJMcxWV4I4JElfd19bt6rKtv6sx

$ vault read alicloud/role/policy-based
Key                Value
---                -----
inline_policies    [map[hash:8d5db9715fa1fd38c1609a65bf5a453d policy_document:map[Statement:[map[Action:[ram:CreateAccessKey ram:DeleteAccessKey ram:CreatePolicy ram:DeletePolicy ram:AttachPolicyToUser ram:DetachPolicyFromUser ram:CreateUser ram:DeleteUser sts:AssumeRole] Effect:Allow Resource:*]] Version:1]]]
max_ttl            0s
remote_policies    <nil>
role_arn           n/a
ttl                0s

When I revoked lease, the access key has been deleted successfully, but policies and user remained. Vault server showed error log:

2020-03-16T17:23:36.787+0800 [ERROR] expiration: failed to revoke lease: lease_id=alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ error="failed to revoke entry: resp: (*logical.Response)(nil) err: secret is missing inline_policies internal data"

Which point to code line 141 in path_secrects.go:

// Inline policies are currently stored as remote policies, because they have been
        // instantiated remotely and we need their name and type to now detach and delete them.
        inlinePolicies, err := getRemotePolicies(req.Secret.InternalData, "inline_policies")
        if err != nil {
            // This shouldn't be part of the multierror because if it returns empty inline policies,
            // then we won't go through the inlinePolicies loop and we'll think we're successful
            // when we actually didn't delete the inlinePolicies we need to.
            return nil, err
        }

Have I done something wrong? Thanks.

lonegunmanb commented 4 years ago

I've built plugin from source and debug on localhost, now the plugin doesn't complain about not finding inline_policies, but missing remote_policies, and I've found problem. In path_secrets.go line 159:

// These just need to be detached, but we're not going to delete them because they're
        // supposed to be longstanding.
        remotePolicies, err := getRemotePolicies(req.Secret.InternalData, "remote_policies")
        if err != nil {
            // This shouldn't be part of the multierror because if it returns empty remote policies,
            // then we won't go through the remotePolicies loop and we'll think we're successful
            // when we actually didn't delete the remotePolicies we need to.
            return nil, err
        }

Lease created has no remote_policies as we can see from read alicloud/role/policy-based. We can just skip detaching remote policies. I've submitted a pull request: #50