search

minio / kes

Key Managament Server for Object Storage and more
https://min.io/docs/kes/concepts/
GNU Affero General Public License v3.0
456 stars 95 forks source link

No approle ID specified though it exists #385

Closed a1ntwan closed 1 year ago

a1ntwan commented 1 year ago

Hi guys, KES server fails to start in docker throwing errors like:

Error: failed to read config file: edge: invalid vault keystore: invalid approle config: no approle ID specified

My docker-compose file (part of it) looks like:

vault:
  image: vault:1.13.3
  container_name: vault
  volumes:
    - ./vault.json:/vault/config/vault.json
    - vault:/vault/data
    - ./vault_certs/:/vault/certs
  environment:
    - VAULT_ADDR=https://127.0.0.1:8200
    - VAULT_API_ADDR=https://127.0.0.1:8200
    - VAULT_ADDRESS=https://127.0.0.1:8200
    - VAULT_SKIP_VERIFY=true
  cap_add:
    - IPC_LOCK
  command: vault server -config=/vault/config/vault.json
  network_mode: "host"

minio-kes:
  image: minio/kes:latest
  container_name: minio-kes
  restart: always
  volumes:
    - ./kes_certs/:/root/.kes/certs
    - ./vault_certs/:/root/.kes/vault/certs
    - ./kes_config/:/root/.kes/config
  environment:
    - KES_SERVER=https://127.0.0.1:7373
    - KES_CLIENT_KEY=/root/.kes/certs/client.key
    - KES_CLIENT_CERT=/root/.kes/certs/client.cert
  command: server --config=/root/.kes/config/config.yaml --auth=off
  network_mode: "host"

volumes:
  vault:

Vault is initialized, unsealed and running. Everything is configured according to this guide: https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore

My Vault config is:

{
  "api_addr": "https://127.0.0.1:8200",
  "backend": {
    "file": {
      "path": "vault/file"
    }
  },

  "default_lease_ttl": "168h",
  "max_lease_ttl": "720h",
  "ui": true,

  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "tls_cert_file": "/vault/certs/vault.crt",
      "tls_key_file": "/vault/certs/vault.key",
      "tls_min_version": "tls12"
    }
  }
}

And KES config is:

address: 0.0.0.0:7373

admin:
  identity: disabled

tls:
  key: /root/.kes/certs/kes.key
  cert: /root/.kes/certs/kes.crt

policy:
  my-app:
    allow:
    - /v1/key/create/my-key*
    - /v1/key/generate/my-key*
    - /v1/key/decrypt/my-key*
    identities:
    - * here is my identity* 

keystore:
   vault:
     endpoint: https://127.0.0.1:8200
     version:  v1
     approle:
       id: *here is the id*
       secret: *here is the secret*
       retry: 15s
     status:
       ping: 10s
     tls:
       ca: /root/.kes/vault/certs/vault.crt

BTW I have no idea if I need to put id and secret values in "" or not. But both throw the same error anyway. Also sorry if I've chosen wrong issue type, I open it for the first time

a1ntwan commented 1 year ago

Sorry seems to be keyboard layout issue