hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.11k stars 4.21k forks source link

Vault MFA method deleted before Entity MFA secrets #18241

Open ArchiFleKs opened 1 year ago

ArchiFleKs commented 1 year ago

Describe the bug Hi,

I recently tried to use MFA on Vault v1.10.3 OSS. I created a method:

vault write -field=method_id identity/mfa/method/totp issuer=vault period=30 key_size=30 qr_size=200 algorithm=SHA256 digits=6 name=archifleks   

Then I created a secret for my entity:

 vault write identity/mfa/method/totp/admin-generate method_id=8a0e6dca-eb99-675f-cdee-eba62162f59a entity_id=7a86d562-f3ef-a921-4bc5-804833fce9e5

Then a login enforcement, everything worked as intended. I then proceeed to cleanup and redo everything properly. I delete the method first (which I shouldn’t have):

vault delete identity/mfa/method/totp/8a0e6dca-eb99-675f-cdee-eba62162f59a

Now I can’t seem to recover because there is already a method associated to my entitity but the method does not exist anymore, and I can’t add another TOTP secret to my entity:

 vault write identity/mfa/method/totp/admin-destroy  entity_id=ae6b9cb7-ded3-2a7b-a45b-e2db6905ecfc method_id=8a0e6dca-eb99-675f-cd
ee-eba62162f59a
Error writing data to identity/mfa/method/totp/admin-destroy: Error making API request.

URL: PUT https://vault.devnet.kiln.fi/v1/identity/mfa/method/totp/admin-destroy
Code: 400. Errors:

* configuration for method ID "8a0e6dca-eb99-675f-cdee-eba62162f59a" does not exist

Error when trying to add new secret on my entity:

vault write identity/mfa/method/totp/admin-generate method_id=07cf08d4-1bd7-12e5-e972-345c69e4de37 entity_id=ae6b9cb7-ded3-2a7b-a4
5b-e2db6905ecfc
{
  "request_id": "2a70e100-b683-af73-b85b-0e64e33ea7ef",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": [
    "Entity already has a secret for MFA method \"\""
  ]
}

Any idea how to recover from this ? Is there any way to get the secret associated to the entity from the CLI ? And to force remove it

Expected behavior

I should be able to remove the secret from identity even if the method has been remove, or prevent the method removal if it is in use

Environment:

art-niu commented 1 year ago

I have same issue in Vault v1.12.2 , any workaround?

adis3421 commented 1 year ago

I confirm that I have version 1.12.2