Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need help to use oci vault #115

Closed
tux-jochen opened this issue Aug 6, 2024 · 7 comments
Closed

Need help to use oci vault #115

tux-jochen opened this issue Aug 6, 2024 · 7 comments

Comments

@tux-jochen
Copy link

tux-jochen commented Aug 6, 2024
edited
Loading

My oracledb_exporter.service file has the lines:

Environment="vault_tenancy_ocid=ocid1.tenancy.oc1..aaaaaaaa..."
Environment="VAULT_ID=<the_name_of_my_vault>" # name or id? Id returned an error when starting the service
Environment="VAULT_SECRET_NAME=oracledb_exporter"

Start the service with this environment fails with:

systemctl status -l oracledb_exporter
● oracledb_exporter.service - Prometheus oracledb_exporter
   Loaded: loaded (/etc/systemd/system/oracledb_exporter.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2024-08-06 11:42:27 CEST; 3s ago
  Process: 4321 ExecStart=/usr/local/bin/oracledb_exporter --log.level debug --web.listen-address 0.0.0.0:9161 --default.metrics /etc/oracledb_exporter/default-metrics.toml (code=exited, status=1/FAILURE)
 Main PID: 4321 (code=exited, status=1/FAILURE)

Started Prometheus oracledb_exporter.
ts=2024-08-06T09:42:27.513Z caller=main.go:65 level=info msg="VAULT_ID env var is present so using OCI Vault" vault_name=<the_name_of_my_vault>
oracledb_exporter.service: main process exited, code=exited, status=1/FAILURE
Unit oracledb_exporter.service entered failed state.
oracledb_exporter.service failed.

loglevel is debug

When I query the secret with the OCI CLI, I get the correct value. But I used the compartment ID.

COMPARTMENT_OCID=<my_compartment_ocid"
SECRET_OCID=$(oci vault secret list --compartment-id "$COMPARTMENT_OCID" \
                      --query "data[?\"secret-name\" == '$SECRET_NAME'].id | [0]" \
                      --raw-output
)
SECRET=$(oci secrets secret-bundle get \
    --secret-id "$SECRET_OCID" \
    --raw-output \
    --query "data.\"secret-bundle-content\".content" | base64 -d
)
@andytael
Copy link
Member

andytael commented Aug 6, 2024

Hello,
VAULT_ID should be set to the OCID of the OCI vault that you wish to use

@tux-jochen
Copy link
Author

tux-jochen commented Aug 7, 2024
edited
Loading

Thanks,
I changed in oracledb_exporter.service to
Environment="VAULT_ID=ocid1.vault.oc1.eu-frankfurt-1.en...."

But I get

● oracledb_exporter.service - Prometheus oracledb_exporter
   Loaded: loaded (/etc/systemd/system/oracledb_exporter.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2024-08-07 08:00:43 CEST; 46s ago
  Process: 26463 ExecStart=/usr/local/bin/oracledb_exporter --log.level debug --web.listen-address 0.0.0.0:9161 --default.metrics /etc/oracledb_exporter/default-metrics.toml (code=exited, status=1/FAILURE)
 Main PID: 26463 (code=exited, status=1/FAILURE)

Started Prometheus oracledb_exporter.
ts=2024-08-07T06:00:43.042Z caller=main.go:65 level=info msg="VAULT_ID env var is present so using OCI Vault" vault_name=ocid1.vault.oc1.eu-frankfurt-1.ent...
oracledb_exporter.service: main process exited, code=exited, status=1/FAILURE
Unit oracledb_exporter.service entered failed state.
oracledb_exporter.service failed.

The message does not show the name for vault_name but the ocid

The secret is in a compartment in the tenant. I have tried using both the compartment ocid and the tenant ocid for environment parameter vault_tenancy_ocid and received the same message in each case.

@markxnelson
Copy link
Member

Thanks for reporting, I will check on this and get back to you

@tux-jochen
Copy link
Author

tux-jochen commented Aug 26, 2024
edited
Loading

I can access the vault secret from the command line with the oci-cli.
For this I need the parameters COMPARTMENT_OCID, VAULT_OCID, SECRET_NAME and a valid .oci/config file in my home directory with API_USER, FINGERPRINT, KEY_FILE, TENANCY and REGION for the oci api call.
So it does not seem to be enough to configure only VAULT_ID and VAULT_SECRET_NAME as described in the documentation. I also need a COMPARTMENT_OCID and API access data, don't I? How can I configure this correctly?

@markxnelson
Copy link
Member

Thanks for the update, let me check on that and confirm. I will update the docs if they are missing info.

@andytael
Copy link
Member

@tux-jochen a couple of questions:

  • Is the Vault in the same region as it is specified in the OCI Config file, I mean your home region can be in ashburn but the vault is in phoenix?
  • Is the profile being used the default profile? You can have multiple profiles for different environment but there is always a default one.

@andytael andytael mentioned this issue Sep 27, 2024
Merged
@andytael
Copy link
Member

Issue is fixed in #131

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markxnelson @andytael @tux-jochen