tvoran
commented
2 years ago Hi there, I suspect this was caused by the switch from sys/policy to sys/policies/acl in the Vault client (https://github.com/hashicorp/vault/pull/5583). We'll get the README updated!
when using a vault namespace the service broker puts its information correctly in to the vault. When I try to bind to a service the policy fails to create. It looks like the policy write is not appending the namespace to the policy write. I was set up with a vault token created based on the service-broker sample policy. I added all of the namespace entry points to the policy to cover coming in through nested namespace. /devops/cicd as namespace NOTE: the token and policy I created where in the namespace.
2019-02-25T10:48:58.05-0600 [APP/PROC/WEB/0] OUT [DEBUG] creating new policy cf-8cdb5f48-0315-44da-b912-00ab1677ffb9 2019-02-25T10:48:58.16-0600 [APP/PROC/WEB/0] OUT [ERR] failed to create policy cf-8cdb5f48-0315-44da-b912-00ab1677ffb9: Error making API req uest. URL: PUT https://hcvault-nonprod.dell.com/v1/sys/policies/acl/cf-8cdb5f48-0315-44da-b912-00ab1677ffb9 Code: 403. Errors: 1 error occu rred: permission denied 2019-02-25T10:48:58.16-0600 [RTR/1] OUT vault-broker-hilarious-swan.ausvdc02.pcf.dell.com - [2019-02-25T16:48:57.745+0000] "PUT /v2/service_ instances/8cdb5f48-0315-44da-b912-00ab1677ffb9/service_bindings/f505dfa2-b30f-41aa-be38-f3d0b2da55ce HTTP/1.1" 500 428 284 "-" "HTTPClient/1.0 (2.8.3, ruby 2.4.2 (2017-09-14))" "10.32.27.76:58798" "172.16.1.8:61030" x_forwarded_for:"10.175.172.11, 10.32.27.76" x_forwarded_proto:"https" vcap_request_id:"d61ddf9e-989e-4f4f-465f-1f6ac642b9e1" response_time:0.416970695 app_id:"24180243-0a86-4e82-a3ab-8626ed5800fc" app_index:"0" x _b3_traceid:"f9e7bfaa05814ef6" x_b3_spanid:"f9e7bfaa05814ef6" x_b3_parentspanid:"-"