当以 "no known secret ID" 开头时,hashicorp 保险库代理模板失败

hashicorp vault agent template fails when starts with "no known secret ID"

使用模板启动保管库代理程序:

vault agent -config=templates/config.hcl -log-level=debug

失败并出现以下错误:

[ERROR] auth.handler:从方法获取路径或数据时出错:error="no known secret ID" backoff=2.438818298

重现问题的步骤:

政策:

path "my-app/data/testsecret/*" {
  capabilities = ["create", "update", "read"]
}

path "my-app/metadata/testsecret/*" {
  capabilities = ["list"]
}

客户端配置:

pid_file = "./pidfile"

vault {
  address = "http://XX.XX.XX.XX:XXXX"
}

auto_auth {
  method {
    type      = "approle"

    config = {
      role_id_file_path = "templates/roleid"
      secret_id_file_path = "templates/secretid"
    }
  }

  sink {
    type = "file"

    config = {
      path = "templates/file-foo"
    }
  }
}

template {
  source      = "templates/template.ctmpl"
  destination = "templates/render.txt"
}

template.ctmpl:

{{ with secret "my-app/data/testsecret" }}
passwd: {{ .Data.data.passwd }}
{{ end }}

我认为秘密存在:

$ vault kv get my-app/testsecret
====== Metadata ======
Key              Value
---              -----
created_time     2020-10-22T07:18:48.205108671Z
deletion_time    n/a
destroyed        false
version          6

===== Data =====
Key       Value
---       -----
passwd    cat

秘密是 kv v2:

$ vault secrets list --detailed |grep my-app
my-app/       kv           kv_5898e685           system         system     false             replicated     false        false                      map[version:2]    n/a                                                        cd436e93-db3b-c317-1c31-6967c7b25764

我终于可以解决重新创建 secret-id 的问题了:

vault write -f auth/approle/role/test-role/secret-id

并覆盖secret_id_file_path(templates/secretid),之后模板就渲染好了!!!

 vault agent -config=templates/config.hcl
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.5.4
             Version Sha: 1a730771ec70149293efe91e1d283b10d255c6d1

2020-10-22T13:28:59.096+0200 [INFO]  sink.server: starting sink server
2020-10-22T13:28:59.096+0200 [INFO]  auth.handler: starting auth handler
2020-10-22T13:28:59.097+0200 [INFO]  auth.handler: authenticating
2020-10-22T13:28:59.096+0200 [INFO]  template.server: starting template server
2020/10/22 11:28:59.097331 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.097874 [INFO] (runner) creating watcher
2020-10-22T13:28:59.125+0200 [INFO]  auth.handler: authentication successful, sending token to sinks
2020-10-22T13:28:59.125+0200 [INFO]  auth.handler: starting renewal process
2020-10-22T13:28:59.125+0200 [INFO]  template.server: template server received new token
2020/10/22 11:28:59.125672 [INFO] (runner) stopping
2020/10/22 11:28:59.125710 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.125847 [INFO] (runner) creating watcher
2020/10/22 11:28:59.125955 [INFO] (runner) starting
2020-10-22T13:28:59.161+0200 [INFO]  auth.handler: renewed auth token
2020/10/22 11:28:59.251586 [INFO] (runner) rendered "templates/render.txt" => "templates/_env"