Rundeck vault storage plugin - failed to read ssh private key stored at path

[chisanovici]

Hi,

Can anyone help me with the following error:

Failed to read SSH Private key stored at path: keys/cst/rundeck/ssh/svc-cst-rundeck-prv: org.rundeck.storage.api.StorageException: Converter Plugin builtin:ssh-storage threw exception during READ: null
Failed: ConfigurationFailure: Failed to read SSH Private key stored at path: keys/cst/rundeck/ssh/svc-cst-rundeck-prv

My vault vault storage plugin configurations in /etc/rundeck/rundeck-config.properties are:

### Vault implementation for key storage ###
rundeck.storage.provider.1.type = vault-storage
rundeck.storage.provider.1.path = keys/cst
rundeck.storage.provider.1.removePathPrefix = true
rundeck.storage.provider.1.config.prefix = cst
rundeck.storage.provider.1.config.secretBackend = secret
rundeck.storage.provider.1.config.address = https://vault.address
rundeck.storage.provider.1.config.authBackend = approle
rundeck.storage.provider.1.config.approleId = my_app_role_id
rundeck.storage.provider.1.config.approleSecretId = my_secred_app_role_id
rundeck.storage.provider.1.config.approleAuthMount = approle
rundeck.storage.provider.1.config.storageBehaviour = vault
rundeck.storage.provider.1.config.openTimeout = 10
rundeck.storage.provider.1.config.readTimeout = 30

Vault approle permissions are:

path "secret/cst/*" {
    capabilities = ["list", "read"]
}

LDAP group acl policy is:

description: Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: [CST]

---

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - match:
          path: 'keys/cst/.*'
      allow: [read] # allow read for all /keys/cst/* storage content
by:
  group: [CST]

While the plugin is somehow working as it is able to connect to our vault service and it is able to list our secrets from the above path within the Configurations -> Key Storage it is throwing that error while running a job that is using that ssh private key. Also, while listing the secrets from Rundeck in Key Storage, the plugin sees the vault secret keys/cst/rundeck/ssh/svc-cst-rundeck-prv as a private key.

What am I missing ? What I'm doing wrong ?

Thank you, Ionut

[DevAndrewGeorge]

I also ran into this issue this week. Your configuration is more than likely correct as this is caused by a bug in the code I discovered. As mentioned in #16, their workaround was to set [prefix].config.storageBehavior to rundeck. Turns out this worked because it set the Rundeck-content-type metadata/header while private keys that use the VaultKey class set no such header. I found during testing that it doesn't really matter the value of the header, only that the header is set (at least to the set of values Rundeck understands).

I suppose upstream to the bugged function if the header is not set, it silently nullifies the return storage key value.

[DaBeOps]

HI all, I'm facing the same problem.

@DevAndrewGeorge Your pull request didn't suceed the test(https://github.com/rundeck-plugins/vault-storage/pull/23). Since then, have you done anything else ?

Have a good day.

[DevAndrewGeorge]

@DaBeOps, I am unsure of how I am supposed to pass the test in the first place. Seems the last few commits to master also failed the same exact test. This repository doesn't seem to have a lot of signs of life, so I haven't been too concerned. I built my own patched version, and have been using that in my rundeck deployment since I submitted my PR.