New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to perform login operation with alicloud auth plugin #6377
Comments
Hi @DahuK! Thanks for posting those steps. For one, I don't think that when the role is getting set up, that it's getting set up the way it seems.
Note that it literally shows $ROLE_NAME in the arn there, rather than foo. |
There may be additional fixes needed in later steps, but let's start with that one first and see if it gets you where you need to go. |
@tyrannosaurus-becks vault write auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6 arn='acs:ram::xxxxxxxxxx:role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6'
Success! Data written to: auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6
vault login -method=alicloud access_key=STS.NHJLSwQddsRyA4ov89nZ3nwPS secret_key=8F8HeC5iRKhMY9jEyjyeF8xmxxxxxxxxxxxx security_token=CAIStQJ1q6Ft5BxxxxxxxxxxxxxJfXRoB+0Xsfkxn2pQ6P8elrRtTtpfTEmBbI4q/JkG61z/OZGeq9fuvbIdk8OmRzAdn+RrIYqADd/iRfbxJ92PCTmd5AIRrJL+cTK9JS/HVbSClZ9gaPkOQwC8dkAoLdxKJwxk2qR4XDmrQpTLCBPxhXfKB0dFoxd1jXgFiZ6y2cqB8BHT/jaYo603392veMn0Npc8YsYvC4zph7BMG/CfgHIK2X9j77xriaFIwzDDs+yGDkNZixf8aLaJq4A3clIoOfVkQPQc8qGgj6x7p+bejYL61xtWOOhOTynFXoekzY6YQrqkOtgyePOiMn6Wl4zQOsGwulkxxxxxxxx8STToagAFM0WePnTEQ42RXd8M8BicWYZKAxqoP4ompvienM96ZmOBe+F6UMfN1jAc7+EQyO41u/RnE1HTnbcJjJmsUAg//FyA2rvJY2yhA84jYOi3m+jBa3TJeBL8z4GWJ1wRdtJtGDJOdGnAraMrEeSO6zdxC+JH6BOrldYvSY3h3cVYXxQ== region=cn-beijing
Error authenticating: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/alicloud/login
Code: 500. Errors:
* entry for role kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6 not found |
Interesting! What do you get when you do:
|
it response as: vault read auth/alicloud/role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6
Key Value
--- -----
arn acs:ram::1629816869803434:role/kubernetesmasterrole-421edfce-1ab3-47d0-a2ee-9015606097a6
bound_cidrs []
max_ttl 0s
period 0s
policies <nil>
ttl 0s and the store object could be found in alicloud oss console |
I think the issue come from here roleName := ""
roleNameIfc, ok := data.GetOk("role")
if ok {
roleName = roleNameIfc.(string)
} else {
roleName = parsedARN.RoleName
}
role, err := readRole(ctx, req.Storage, roleName)
if err != nil {
return nil, err
} everytime when I try to login, the roleNameIfc would return an empty string through I have not put a role as parameter, so I try to refine the checking logic and it works on my env, I created the PR as below: please help to review it, thx! |
@DahuK thanks for that PR. Does it solve the problem for you? If so I'll close this. |
Yes, it is. close this |
Describe the bug
I enabled alibaba auth and try to login with CLI cmd on guide
https://www.vaultproject.io/docs/auth/alicloud.html , but failed to login both with vault login -method=alicloud access_key=... secret_key=... security_token=... region= or the way of generating the signed request and write into auth/alicloud/login
To Reproduce
vault auth enable alicloud
firstly, I want to directly login with the STS token return from the instance metadata server, so I curl 'http://100.100.100.200/latest/meta-data/ram/security-credentials/$ROLE_NAME' on my ecs,
got the tmp ak/sk/sts token, write into auth/alicloud/role and try to login with cli:
it failed with response as:
it make me confuse cause I think I have write it into auth/alicloud/role/$ROLE_NAME, and I can find it in my backend oss store, should I use some other cli cmd or write another role? please help to look if I missed any required steps.
then I try to generate the alicloud sts GetCallerIdentity request with signature and it can success request directly from browser, but still failed from vault CLI as below:
Error writing data to auth/alicloud/login: Error making API request.
seems the auth plugin did not request alicloud sts with valid format, so I want to know should I just base64 on url for identity_request_url, and what is the required format for identity_request_headers?
Expected behavior
It should login success and return the access token
Environment:
vault status
):Vault CLI Version (retrieve with
vault version
):Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')
Server Operating System/Architecture:
CentOS Linux release 7.4.1708
Vault server configuration file(s):
The text was updated successfully, but these errors were encountered: