当以 "no known secret ID" 开头时,hashicorp 保险库代理模板失败
hashicorp vault agent template fails when starts with "no known secret ID"
使用模板启动保管库代理程序:
vault agent -config=templates/config.hcl -log-level=debug
失败并出现以下错误:
[ERROR] auth.handler:从方法获取路径或数据时出错:error="no known secret ID" backoff=2.438818298
重现问题的步骤:
政策:
path "my-app/data/testsecret/*" {
capabilities = ["create", "update", "read"]
}
path "my-app/metadata/testsecret/*" {
capabilities = ["list"]
}
客户端配置:
pid_file = "./pidfile"
vault {
address = "http://XX.XX.XX.XX:XXXX"
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "templates/roleid"
secret_id_file_path = "templates/secretid"
}
}
sink {
type = "file"
config = {
path = "templates/file-foo"
}
}
}
template {
source = "templates/template.ctmpl"
destination = "templates/render.txt"
}
template.ctmpl:
{{ with secret "my-app/data/testsecret" }}
passwd: {{ .Data.data.passwd }}
{{ end }}
我认为秘密存在:
$ vault kv get my-app/testsecret
====== Metadata ======
Key Value
--- -----
created_time 2020-10-22T07:18:48.205108671Z
deletion_time n/a
destroyed false
version 6
===== Data =====
Key Value
--- -----
passwd cat
秘密是 kv v2:
$ vault secrets list --detailed |grep my-app
my-app/ kv kv_5898e685 system system false replicated false false map[version:2] n/a cd436e93-db3b-c317-1c31-6967c7b25764
我终于可以解决重新创建 secret-id 的问题了:
vault write -f auth/approle/role/test-role/secret-id
并覆盖secret_id_file_path(templates/secretid),之后模板就渲染好了!!!
vault agent -config=templates/config.hcl
==> Vault agent started! Log data will stream in below:
==> Vault agent configuration:
Cgo: disabled
Log Level: info
Version: Vault v1.5.4
Version Sha: 1a730771ec70149293efe91e1d283b10d255c6d1
2020-10-22T13:28:59.096+0200 [INFO] sink.server: starting sink server
2020-10-22T13:28:59.096+0200 [INFO] auth.handler: starting auth handler
2020-10-22T13:28:59.097+0200 [INFO] auth.handler: authenticating
2020-10-22T13:28:59.096+0200 [INFO] template.server: starting template server
2020/10/22 11:28:59.097331 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.097874 [INFO] (runner) creating watcher
2020-10-22T13:28:59.125+0200 [INFO] auth.handler: authentication successful, sending token to sinks
2020-10-22T13:28:59.125+0200 [INFO] auth.handler: starting renewal process
2020-10-22T13:28:59.125+0200 [INFO] template.server: template server received new token
2020/10/22 11:28:59.125672 [INFO] (runner) stopping
2020/10/22 11:28:59.125710 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.125847 [INFO] (runner) creating watcher
2020/10/22 11:28:59.125955 [INFO] (runner) starting
2020-10-22T13:28:59.161+0200 [INFO] auth.handler: renewed auth token
2020/10/22 11:28:59.251586 [INFO] (runner) rendered "templates/render.txt" => "templates/_env"
使用模板启动保管库代理程序:
vault agent -config=templates/config.hcl -log-level=debug
失败并出现以下错误:
[ERROR] auth.handler:从方法获取路径或数据时出错:error="no known secret ID" backoff=2.438818298
重现问题的步骤:
政策:
path "my-app/data/testsecret/*" {
capabilities = ["create", "update", "read"]
}
path "my-app/metadata/testsecret/*" {
capabilities = ["list"]
}
客户端配置:
pid_file = "./pidfile"
vault {
address = "http://XX.XX.XX.XX:XXXX"
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "templates/roleid"
secret_id_file_path = "templates/secretid"
}
}
sink {
type = "file"
config = {
path = "templates/file-foo"
}
}
}
template {
source = "templates/template.ctmpl"
destination = "templates/render.txt"
}
template.ctmpl:
{{ with secret "my-app/data/testsecret" }}
passwd: {{ .Data.data.passwd }}
{{ end }}
我认为秘密存在:
$ vault kv get my-app/testsecret
====== Metadata ======
Key Value
--- -----
created_time 2020-10-22T07:18:48.205108671Z
deletion_time n/a
destroyed false
version 6
===== Data =====
Key Value
--- -----
passwd cat
秘密是 kv v2:
$ vault secrets list --detailed |grep my-app
my-app/ kv kv_5898e685 system system false replicated false false map[version:2] n/a cd436e93-db3b-c317-1c31-6967c7b25764
我终于可以解决重新创建 secret-id 的问题了:
vault write -f auth/approle/role/test-role/secret-id
并覆盖secret_id_file_path(templates/secretid),之后模板就渲染好了!!!
vault agent -config=templates/config.hcl
==> Vault agent started! Log data will stream in below:
==> Vault agent configuration:
Cgo: disabled
Log Level: info
Version: Vault v1.5.4
Version Sha: 1a730771ec70149293efe91e1d283b10d255c6d1
2020-10-22T13:28:59.096+0200 [INFO] sink.server: starting sink server
2020-10-22T13:28:59.096+0200 [INFO] auth.handler: starting auth handler
2020-10-22T13:28:59.097+0200 [INFO] auth.handler: authenticating
2020-10-22T13:28:59.096+0200 [INFO] template.server: starting template server
2020/10/22 11:28:59.097331 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.097874 [INFO] (runner) creating watcher
2020-10-22T13:28:59.125+0200 [INFO] auth.handler: authentication successful, sending token to sinks
2020-10-22T13:28:59.125+0200 [INFO] auth.handler: starting renewal process
2020-10-22T13:28:59.125+0200 [INFO] template.server: template server received new token
2020/10/22 11:28:59.125672 [INFO] (runner) stopping
2020/10/22 11:28:59.125710 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.125847 [INFO] (runner) creating watcher
2020/10/22 11:28:59.125955 [INFO] (runner) starting
2020-10-22T13:28:59.161+0200 [INFO] auth.handler: renewed auth token
2020/10/22 11:28:59.251586 [INFO] (runner) rendered "templates/render.txt" => "templates/_env"