search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.79k stars 4.17k forks source link

[agent] consul secrets not cached unless a login is issued first #11069

Open dekimsey opened 3 years ago

dekimsey commented 3 years ago

Describe the bug In contrast to example tutorials reading a secret (from Consul at least) doesn't seem to trigger caching. It only works if vault login -method=... is first issued.

To Reproduce

vault {
        address = "https://vault-cluster.vault.uuid.aws.hashicorp.cloud:8200"
}
auto_auth {
        method "aws" {
                mount_path = "auth/aws"
                config = {
                  type = "iam"
                  role = "..."
                }
        }
        sink "file" {
                config = {
                        path = "/dev/shm/.vault-token"
                }
        }
}
cache {
    use_auto_auth_token = true
}
listener "tcp" {
   address = "127.0.0.1:8100"
   tls_disable = true
}
  1. vault agent -config=agent.hcl
  2. Confirm agent starts and has authenticated successfully to Vault: 
    2021-03-09T21:15:03.254Z [INFO]  sink.file: token written: path=/dev/shm/.vault-token
2021-03-09T21:15:03.254Z [DEBUG] cache.leasecache: storing auto-auth token into the cache
2021-03-09T21:15:03.412Z [INFO]  auth.handler: renewed auth token
  3. Request a Consul ACL token: vault read -field=lease_id consul/creds/my-service
  4. Request a Consul ACL token (again): vault read -field=lease_id consul/creds/my-service
  5. Note the lease IDs have changed
  6. Run vault login -method=aws
  7. Request a Consul ACL token: vault read -field=lease_id consul/creds/my-service
  8. Request a Consul ACL token (again): vault read -field=lease_id consul/creds/my-service
  9. Note the lease IDs are stable and the agent will auto-renew.

As far as I can tell, this runs contrary to how the tutorial demonstrates caching should operate. It's not clear to me why this is. I'm guessing requesting a token somehow ties it to my shell's login session token (~/.vault-token).

2021-03-09T21:17:14.753Z [INFO]  cache: received request: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:14.753Z [DEBUG] cache.leasecache: forwarding request: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:14.753Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:15.034Z [DEBUG] cache.leasecache: processing lease response: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:15.034Z [DEBUG] cache.leasecache: pass-through lease response; token not managed by agent: method=GET path=/v1/consul/creds/my-service

vs

2021-03-09T21:17:58.232Z [DEBUG] cache.leasecache: forwarding request: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:58.232Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:58.511Z [DEBUG] cache.leasecache: processing lease response: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:58.512Z [DEBUG] cache.leasecache: storing response into the cache: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:58.512Z [DEBUG] cache.leasecache: initiating renewal: method=GET path=/v1/consul/creds/my-service
2021-03-09T21:17:58.619Z [DEBUG] cache.leasecache: secret renewed: path=/v1/consul/creds/my-service

Expected behavior Agent should auto-login and cache secrets issued through it. I'm not sure if that makes sense, but the tutorial and docs don't seem to mention this gap.

Environment:

Vault server configuration file(s):

n/a

Additional context Add any other context about the problem here.

HridoyRoy commented 3 years ago

Hi, I definitely think this warrants a docs change. Thanks!