Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Vault command errors configured locally #58580

Closed
jtraub91 opened this issue Sep 29, 2020 · 4 comments · Fixed by #62684
Closed

[BUG] Vault command errors configured locally #58580

jtraub91 opened this issue Sep 29, 2020 · 4 comments · Fixed by #62684
Assignees
@cmcmarrow
Labels
Bug broken, incorrect, or confusing behavior pending-community-assignment Pending community contributor assignment severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around Vault
Milestone
Approved

Comments

@jtraub91
Copy link
Contributor

Description
When configuring vault for use with a masterless command, e.g. salt-call --local, I am getting an error when running vault.read_secret.

Setup
minion.d/vault.conf

vault:
  url: sdb://yaml/vault_url
  verify: False
  auth:
    method: approle
    role_id: sdb://yaml/role_id
    secret_id: sdb://yaml/secret_id
  policies:
    - saltstack/minions
    - saltstack/minions/{minion}

minion.d/sdb.conf

yaml:
  driver: yaml
  files:
    - /etc/salt/vault_token.yaml

/etc/salt/vault_token.yaml

vault_url: https://x.x.x.x:yyyy
role_id: xxxxxxx
secret_id: xxxxxxx

Steps to Reproduce the behavior

salt-call --local vault.read_secret <path> <key>

Expected behavior
Should return the value of the <key> at <path>. Instead I am getting the following error:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/salt/modules/vault.py", line 209, in read_secret
    response = __utils__["vault.make_request"]("GET", url)
  File "/usr/lib/python3.6/site-packages/salt/utils/vault.py", line 342, in make_request
    connection["uses"] -= 1
KeyError: 'uses'

Versions Report

Salt Version:
           Salt: 3001.1

Dependency Versions:
           cffi: 1.14.1
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: 4.2.0
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.11.2
        libgit2: Not Installed
       M2Crypto: 0.35.2
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: 2.20
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.6.8 (default, Apr  2 2020, 13:34:55)
   python-gnupg: Not Installed
         PyYAML: 5.3.1
          PyZMQ: 19.0.1
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.2

System Versions:
           dist: centos 7 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-1127.el7.x86_64
         system: Linux
        version: CentOS Linux 7 Core
@jtraub91 jtraub91 added the Bug broken, incorrect, or confusing behavior label Sep 29, 2020
@jtraub91
Copy link
Contributor Author

FYI I can avoid the error by commenting out this section: https://github.com/saltstack/salt/blob/v3001.1/salt/utils/vault.py#L336-L352, but there ought to be a more proper solution for this.

@krionbsd krionbsd added this to the Approved milestone Oct 1, 2020
@beornf
Copy link
Contributor

beornf commented Oct 8, 2020

Also this line wrongly makes an assumption that all Vault approle tokens expire in exactly 1 hour https://github.com/saltstack/salt/blob/v3001.1/salt/utils/vault.py#L157.

@danielrobbins
Copy link

This issue has been approved to be addressed in a future version of salt.

@sagetherage sagetherage assigned cmcmarrow and unassigned krionbsd Jun 15, 2021
@sagetherage sagetherage added severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around Vault labels Jun 15, 2021
@JeremyHutchings
Copy link

@jtraub91 Could you get any connection with vault working at all, even with a master ?

@lkubb lkubb mentioned this issue Oct 8, 2022
Merged
3 tasks
@cmcmarrow cmcmarrow added the pending-community-assignment Pending community contributor assignment label Sep 8, 2023
@lkubb lkubb mentioned this issue Dec 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cmcmarrow cmcmarrow

Labels
Bug broken, incorrect, or confusing behavior pending-community-assignment Pending community contributor assignment severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around Vault
Projects
None yet
Milestone
Approved
Development

Successfully merging a pull request may close this issue.

Rewrite vault core, issue AppRoles to minions lkubb/salt
7 participants
@JeremyHutchings @danielrobbins @beornf @krionbsd @jtraub91 @sagetherage @cmcmarrow