You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
There is an inconsistent behavior when using uppercase role names from AppRole in policies that use ACL templates.
To Reproduce
This script should be sufficient to reproduce the behavior:
vault login root
vault auth enable approle
# we will need the AppRole accessor for the policy permissions below
approle_accessor=$(vault read -format json sys/auth | jq -r '.data["approle/"].accessor')echo"AppRole Accessor: ${approle_accessor}"# create a policy that governs access to AppRole endpoints
vault policy write admin-policy - <<EOFpath "auth/approle/role/{{identity.entity.aliases.${approle_accessor}.metadata.role_name}}/role-id" { capabilities = ["read"]}EOF# create a role
vault write auth/approle/role/ADMIN_ROLE secret_id_ttl=20m token_ttl=20m policies=admin-policy
# log in for role
role_id=$(vault read -format json auth/approle/role/ADMIN_ROLE/role-id | jq -r .data.role_id)
secret_id=$(vault write -format json -f auth/approle/role/ADMIN_ROLE/secret-id | jq -r .data.secret_id)
token=$(vault write -format json auth/approle/login role_id=$role_id secret_id=$secret_id| jq -r .auth.client_token)
vault login $token# test policy
vault read auth/approle/role/ADMIN_ROLE/role-id # error
vault read auth/approle/role/admin_role/role-id # OK
Expected behavior
The call to vault read auth/approle/role/ADMIN_ROLE/role-id should be successful.
Environment:
Vault Server Version (retrieve with vault status): 1.6.0-dev
Vault CLI Version (retrieve with vault version): Vault v1.6.0-dev ('46c64aaffcb7e2c36dd33401200b7f5a26f48868+CHANGES')
Server Operating System/Architecture: Linux x86_64 GNU/Linux Ubuntu 18.04 LTS running on Windows 10 Pro WSL2
Vault server configuration file(s): running Vault dev server without configuration
Additional context
I believe the problem is because AppRole lowercases the role names then puts it in the metadata. A workaround is to always lowercase the role name when calling endpoints on Vault that might be governed by ACL policies. I am not sure if there are mechanisms to make the ACL templates case insensitive, for example.
The text was updated successfully, but these errors were encountered:
Describe the bug
There is an inconsistent behavior when using uppercase role names from AppRole in policies that use ACL templates.
To Reproduce
This script should be sufficient to reproduce the behavior:
Expected behavior
The call to
vault read auth/approle/role/ADMIN_ROLE/role-id
should be successful.Environment:
vault status
):1.6.0-dev
vault version
):Vault v1.6.0-dev ('46c64aaffcb7e2c36dd33401200b7f5a26f48868+CHANGES')
Linux x86_64 GNU/Linux
Ubuntu 18.04 LTS running on Windows 10 Pro WSL2Vault server configuration file(s): running Vault dev server without configuration
Additional context
I believe the problem is because AppRole lowercases the role names then puts it in the metadata. A workaround is to always lowercase the role name when calling endpoints on Vault that might be governed by ACL policies. I am not sure if there are mechanisms to make the ACL templates case insensitive, for example.
The text was updated successfully, but these errors were encountered: