Given some lease ID, the current implementation of this driver generates a request for the endpoint /v1/sys/leases/renew/<lease ID> and includes only the increment in the body. See Leases.java.
Per Hashicorp's documentation the lease renew API endpoint is v1/sys/leases/renew and the lease ID should be included in the payload under the field lease_id in a JSON object. e.g.
Get a renewable lease secret, e.g. something like database/... and attempt to renew the lease ID by calling something equivalent to below.
vault.sys().leases().renew(leaseId, 3600);
Exception in thread "main" io.github.jopenlibs.vault.VaultException: Expecting HTTP status 200, but instead receiving 403
at io.github.jopenlibs.vault.api.sys.Leases.lambda$renew$3(Leases.java:203)
at io.github.jopenlibs.vault.api.OperationsBase.retry(OperationsBase.java:31)
at io.github.jopenlibs.vault.api.OperationsBase.retry(OperationsBase.java:19)
at io.github.jopenlibs.vault.api.sys.Leases.renew(Leases.java:186)
Corresponding curl commands behave similarly (work with the documented endpoint + payload, 403 with jopenlibs endpoint + payload):
Mistake on my part - this was a limitation of the role policy which allows the use of the deprecated endpoint /sys/renew/... but not the current endpoint /sys/leases/renew/...
Describe the bug
Given some lease ID, the current implementation of this driver generates a request for the endpoint
/v1/sys/leases/renew/<lease ID>
and includes only the increment in the body. See Leases.java.Per Hashicorp's documentation the lease renew API endpoint is
v1/sys/leases/renew
and the lease ID should be included in the payload under the fieldlease_id
in a JSON object. e.g.You can similarly confirm this with the CLI e.g.
Note: Hashicorp vault uses, and generates, PUTs which appear to work as well as the POSTs described in their own docs.
Looking at hashicorps own vault leases interactions I don't see a point at which the lease ID was expected in the URL:
To Reproduce
Get a renewable lease secret, e.g. something like
database/...
and attempt to renew the lease ID by calling something equivalent to below.Corresponding curl commands behave similarly (work with the documented endpoint + payload, 403 with jopenlibs endpoint + payload):