Need help to use oci vault

[tux-jochen]

My oracledb_exporter.service file has the lines:

Environment="vault_tenancy_ocid=ocid1.tenancy.oc1..aaaaaaaa..."
Environment="VAULT_ID=<the_name_of_my_vault>" # name or id? Id returned an error when starting the service
Environment="VAULT_SECRET_NAME=oracledb_exporter"

Start the service with this environment fails with:

systemctl status -l oracledb_exporter
● oracledb_exporter.service - Prometheus oracledb_exporter
   Loaded: loaded (/etc/systemd/system/oracledb_exporter.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2024-08-06 11:42:27 CEST; 3s ago
  Process: 4321 ExecStart=/usr/local/bin/oracledb_exporter --log.level debug --web.listen-address 0.0.0.0:9161 --default.metrics /etc/oracledb_exporter/default-metrics.toml (code=exited, status=1/FAILURE)
 Main PID: 4321 (code=exited, status=1/FAILURE)

Started Prometheus oracledb_exporter.
ts=2024-08-06T09:42:27.513Z caller=main.go:65 level=info msg="VAULT_ID env var is present so using OCI Vault" vault_name=<the_name_of_my_vault>
oracledb_exporter.service: main process exited, code=exited, status=1/FAILURE
Unit oracledb_exporter.service entered failed state.
oracledb_exporter.service failed.

loglevel is debug

When I query the secret with the OCI CLI, I get the correct value. But I used the compartment ID.

COMPARTMENT_OCID=<my_compartment_ocid"
SECRET_OCID=$(oci vault secret list --compartment-id "$COMPARTMENT_OCID" \
                      --query "data[?\"secret-name\" == '$SECRET_NAME'].id | [0]" \
                      --raw-output
)
SECRET=$(oci secrets secret-bundle get \
    --secret-id "$SECRET_OCID" \
    --raw-output \
    --query "data.\"secret-bundle-content\".content" | base64 -d
)

[andytael]

Hello, VAULT_ID should be set to the OCID of the OCI vault that you wish to use

[tux-jochen]

Thanks, I changed in oracledb_exporter.service to Environment="VAULT_ID=ocid1.vault.oc1.eu-frankfurt-1.en...."

But I get

● oracledb_exporter.service - Prometheus oracledb_exporter
   Loaded: loaded (/etc/systemd/system/oracledb_exporter.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2024-08-07 08:00:43 CEST; 46s ago
  Process: 26463 ExecStart=/usr/local/bin/oracledb_exporter --log.level debug --web.listen-address 0.0.0.0:9161 --default.metrics /etc/oracledb_exporter/default-metrics.toml (code=exited, status=1/FAILURE)
 Main PID: 26463 (code=exited, status=1/FAILURE)

Started Prometheus oracledb_exporter.
ts=2024-08-07T06:00:43.042Z caller=main.go:65 level=info msg="VAULT_ID env var is present so using OCI Vault" vault_name=ocid1.vault.oc1.eu-frankfurt-1.ent...
oracledb_exporter.service: main process exited, code=exited, status=1/FAILURE
Unit oracledb_exporter.service entered failed state.
oracledb_exporter.service failed.

The message does not show the name for vault_name but the ocid

The secret is in a compartment in the tenant. I have tried using both the compartment ocid and the tenant ocid for environment parameter vault_tenancy_ocid and received the same message in each case.

[markxnelson]

Thanks for reporting, I will check on this and get back to you

[tux-jochen]

I can access the vault secret from the command line with the oci-cli. For this I need the parameters COMPARTMENT_OCID, VAULT_OCID, SECRET_NAME and a valid .oci/config file in my home directory with API_USER, FINGERPRINT, KEY_FILE, TENANCY and REGION for the oci api call. So it does not seem to be enough to configure only VAULT_ID and VAULT_SECRET_NAME as described in the documentation. I also need a COMPARTMENT_OCID and API access data, don't I? How can I configure this correctly?

[markxnelson]

Thanks for the update, let me check on that and confirm. I will update the docs if they are missing info.

[andytael]

@tux-jochen a couple of questions:

• Is the Vault in the same region as it is specified in the OCI Config file, I mean your home region can be in ashburn but the vault is in phoenix?
• Is the profile being used the default profile? You can have multiple profiles for different environment but there is always a default one.

[andytael]

Issue is fixed in #131