search

rundeck-plugins / vault-storage

Storage plugin for Rundeck for storing data in Vault
http://rundeck.org/plugins/vault/2017/11/25/vault-storage.html
MIT License
18 stars 11 forks source link

Failed to read the ssh private key for storage path: #16

Closed linuxmail closed 5 years ago

linuxmail commented 5 years ago

Hello,

we try to get the SSH private key via Rundeck and the Vault plugin, we we always get:

 ERROR com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepPluginAdapter - Error executing node step.
com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepException: Error configuring Ansible runner: Failed to read the ssh private key for storage path: keys/ssh/rundeck.key: Converter Plugin builtin:ssh-storage threw exception during READ: null

We have configured our Rundeck 3.1 with the latest vault plugin

rundeck.storage.provider.'1'.type = 'vault-storage'
rundeck.storage.provider.'1'.config.address = 'https://fra-corp-vault.example.com'
rundeck.storage.provider.'1'.config.storageBehaviour = 'vault'
rundeck.storage.provider.'1'.config.prefix = 'rundeck'
rundeck.storage.provider.'1'.config.authBackend = 'token'
rundeck.storage.provider.'1'.config.token= 'aaaabbbbcccccddddd'
rundeck.storage.provider.'1'.config.engineVersion = 2

The vault policy:

# List, create, update, and delete key/value secrets
path "kv/data/rundeck/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv/metadata/rundeck/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

and the (full) path in vault is: kv/rundeck/keys/ssh/rundeck.key.

We can choose/select the uploaded SSH key in Rundeck, so I assume that the permissions are ok.

From the command line, this works:

curl -H "x-vault-token: aaaabbbbcccccddddd" https://fra-corp-vault.example.com/v1/kv/data/rundeck/keys/ssh/rundeck.key

Does anybody knows, where the problem could be ?

linuxmail commented 5 years ago

hi,

first problem: ed25519 is not supported second: I had to switch the storageBehaviour from "vault" to "rundeck". After fixing the key path, its working now. Complete config for our Vault

rundeck.storage.provider.'1'.type = 'vault-storage'
rundeck.storage.provider.'1'.path = 'keys'
rundeck.storage.provider.'1'.config.prefix = 'rundeck'
rundeck.storage.provider.'1'.config.address = 'https://fra-corp-vault.example.com'
rundeck.storage.provider.'1'.config.storageBehaviour = 'rundeck'
rundeck.storage.provider.'1'.config.secretBackend = 'kv'
rundeck.storage.provider.'1'.config.authBackend = 'token'
rundeck.storage.provider.'1'.config.token= 's.aaabbbcccceeeefffff11122233444'
rundeck.storage.provider.'1'.config.engineVersion = 2
rundeck.storage.provider.'1'.removePathPrefix=true