tyrannosaurus-becks
commented
4 years ago Hi! Thanks for posting this issue and for providing such clear and simple issues to reproduce it.
I was able to reproduce it locally, as shown here:
Terminal output from reproduction
``` tbex@pop-os:~/Desktop$ echo $VAULT_NAMESPACE tbex@pop-os:~/Desktop$ vault namespace create my_namespace Key Value --- ----- id Np3h5 path my_namespace/ tbex@pop-os:~/Desktop$ export VAULT_NAMESPACE=my_namespace tbex@pop-os:~/Desktop$ vault auth enable approle Success! Enabled approle auth method at: approle/ tbex@pop-os:~/Desktop$ vault write auth/approle/role/my-role \ > secret_id_ttl=10m \ > token_num_uses=10 \ > token_ttl=20m \ > token_max_ttl=30m \ > secret_id_num_uses=40 Success! Data written to: auth/approle/role/my-role tbex@pop-os:~/Desktop$ vault read auth/approle/role/my-role/role-id Key Value --- ----- role_id 8b8cb2af-b537-4e14-bb70-a9b8aafb192a tbex@pop-os:~/Desktop$ vault write -f auth/approle/role/my-role/secret-id Key Value --- ----- secret_id d28bf5c9-d86e-508f-007f-6fc96ba243b2 secret_id_accessor 9b0a726c-7316-5924-d3c1-d0bc72036122 # Write the role and secret ids to files at the path in my config below. tbex@pop-os:~/Desktop$ nano role-id tbex@pop-os:~/Desktop$ nano secret-id tbex@pop-os:~/Desktop$ cat agent-config.hcl pid_file = "./vault-agent.pid" vault { address = "https://vault.addr" } auto_auth { method "approle" { namespace = "my_namespace" config = { role_id_file_path = "/home/tbex/Desktop/role-id" secret_id_file_path = "/home/tbex/Desktop/secret-id" } } sink "file" { config = { path = "./token" } } } tbex@pop-os:~/Desktop$ vault agent -config ./agent-config.hcl ==> Vault server started! Log data will stream in below: ==> Vault agent configuration: Cgo: disabled Log Level: info Version: Vault v1.4.0-beta1+prem Version Sha: c72252484bec69cf73e6299bd705fbf297a48f4c 2020-03-11T15:09:41.082-0700 [INFO] sink.file: creating file sink 2020-03-11T15:09:41.082-0700 [INFO] sink.file: file sink configured: path=./token mode=-rw-r----- 2020-03-11T15:09:41.082-0700 [INFO] sink.server: starting sink server 2020-03-11T15:09:41.082-0700 [INFO] auth.handler: starting auth handler 2020-03-11T15:09:41.082-0700 [INFO] auth.handler: authenticating 2020-03-11T15:09:41.082-0700 [INFO] template.server: starting template server 2020-03-11T15:09:41.082-0700 [INFO] template.server: no templates found 2020-03-11T15:09:41.082-0700 [INFO] template.server: template server stopped 2020-03-11T15:09:41.084-0700 [ERROR] auth.handler: error authenticating: error="Error making API request. URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login Code: 404. Errors: * no handler for route 'my_namespace/auth/approle/login'" backoff=2.942328953 2020-03-11T15:09:44.026-0700 [INFO] auth.handler: authenticating 2020-03-11T15:09:44.027-0700 [ERROR] auth.handler: error authenticating: error="Error making API request. URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login Code: 404. Errors: * no handler for route 'my_namespace/auth/approle/login'" backoff=2.672276819 2020-03-11T15:09:46.700-0700 [INFO] auth.handler: authenticating 2020-03-11T15:09:46.701-0700 [ERROR] auth.handler: error authenticating: error="Error making API request. URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login Code: 404. Errors: * no handler for route 'my_namespace/auth/approle/login'" backoff=2.674011764 2020-03-11T15:09:49.375-0700 [INFO] auth.handler: authenticating 2020-03-11T15:09:49.376-0700 [ERROR] auth.handler: error authenticating: error="Error making API request. URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login Code: 404. Errors: * no handler for route 'my_namespace/auth/approle/login'" backoff=2.066340913 ^C==> Vault agent shutdown triggered 2020-03-11T15:09:49.551-0700 [INFO] sink.server: sink server stopped 2020-03-11T15:09:49.551-0700 [INFO] auth.handler: auth handler stopped tbex@pop-os:~/Desktop$ unset VAULT_NAMESPACE # rewrite the secret-id which was deleted at the end of the run earlier tbex@pop-os:~/Desktop$ nano secret-id tbex@pop-os:~/Desktop$ vault agent -config ./agent-config.hcl ==> Vault server started! Log data will stream in below: ==> Vault agent configuration: Cgo: disabled Log Level: info Version: Vault v1.4.0-beta1+prem Version Sha: c72252484bec69cf73e6299bd705fbf297a48f4c 2020-03-11T15:10:37.110-0700 [INFO] sink.file: creating file sink 2020-03-11T15:10:37.110-0700 [INFO] sink.file: file sink configured: path=./token mode=-rw-r----- 2020-03-11T15:10:37.110-0700 [INFO] sink.server: starting sink server 2020-03-11T15:10:37.110-0700 [INFO] auth.handler: starting auth handler 2020-03-11T15:10:37.110-0700 [INFO] auth.handler: authenticating 2020-03-11T15:10:37.110-0700 [INFO] template.server: starting template server 2020-03-11T15:10:37.110-0700 [INFO] template.server: no templates found 2020-03-11T15:10:37.110-0700 [INFO] template.server: template server stopped 2020-03-11T15:10:37.112-0700 [INFO] auth.handler: authentication successful, sending token to sinks 2020-03-11T15:10:37.112-0700 [INFO] auth.handler: starting renewal process 2020-03-11T15:10:37.113-0700 [INFO] sink.file: token written: path=./token 2020-03-11T15:10:37.115-0700 [INFO] auth.handler: renewed auth token ^C==> Vault agent shutdown triggered 2020-03-11T15:10:42.766-0700 [INFO] sink.server: sink server stopped 2020-03-11T15:10:42.766-0700 [INFO] auth.handler: shutdown triggered, stopping lifetime watcher 2020-03-11T15:10:42.766-0700 [INFO] auth.handler: auth handler stopped ```I think what's happening is that in your issue, it's trying to access a namespace of my_namespace within my_namespace, so essentially, a sub-namespace, and it's not authorized to do so. So essentially, if you'd exported a namespace of "fizz", and in your config you used a namespace of "buzz", then the agent would be looking for https://vault.addr/v1/buzz/auth/approle/login from within the namespace of "fizz".
I do like the idea of Vault using precedence logic rather than attempting to access that namespace from the one you're in. As such, marking this as a bug since I think it's reasonable to expect different behavior.
So, basically, the expected behavior in the fizz/buzz example would be that perhaps the env var would take precedence, and Vault would solely look inside the "fizz" namespace. If you actually wanted it to look into "fizz/buzz", you would say that explicitly in either the env var or the config, with the env var taking precedence.
Describe the bug When starting vault in agent mode with a config file and directing it to auto-auth an approle, specifying the namespace in the configuration file as well as the environment causes an HTTP400/HTTP403 error (depending on if you're in windows or linux)
Specifying the namespace in only one place, ENV or Config file works as expected.
To Reproduce Steps to reproduce the behavior:
Expected behavior Specifying the namespace in two places should trigger precedence logic where one negates the other. It appears that something is making this additive and producing an invalid request.
Environment:
vault status): Vault v1.3.2 (I don't operate the server, but this is what I'm told)vault version): Vault v1.3.2Vault AGENT configuration file(s):