在 Vault 代理和 Vault 服务器之间成功集成应用程序角色后权限被拒绝

Question

我正在使用 docker-compose 来提供 2 个服务：vault-agent 和 vault server 都使用 hashicorp/vault:latest docker 图像在本地机器上进行开发。我运行开发模式下的 Vault 服务器：vault server -dev。我运行这样的 vaul-agent vault agent -log-level debug -config=/helpers/vault-agent.hcl 而 vault-agent.hcl 是：

pid_file = "./pidfile"

vault {
  address = "https://vault_dev:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path = "/helpers/role_id"
      secret_id_file_path = "/helpers/secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/helpers/sink_file"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}

我在 vault-agent 和 vaul 服务器之间使用 approle 身份验证，所以我运行这些命令：

vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"

而 admin-policy.hcl 是：


# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `kv/` path

# List, create, update, and delete key/value secrets
path "kv/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage Entities and Entity alias
path "identity/entity-alias"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

但是，当我从 vault-agent 容器中运行 vault kv put secret/hello foo=bar 时，我收到此错误：

Error making API request.

URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:

* permission denied

如果我运行 export VAULT_TOKEN=root 然后 vault kv put secret/hello foo=bar 它有效。所以我猜 vault-agent 和 vault 服务器之间的通信是有效的，我也没有看到 vault-agent 容器中记录的任何错误（只有 INFO 消息）但是我仍然需要一个令牌来对 vault-agent 执行操作，即使整个vault-agent 的要点是将身份验证委托给代理。我错过了什么？

Answer 1

此时您已启用 AppRole 身份验证，并为身份验证创建了一个 AppRole 路径，并将角色绑定到策略。您现在需要：

vault read auth/approle/role/dev-role/role-id

检索 role_id

vault write -f auth/approle/role/dev-role/secret-id

以推送模式检索secret_id，然后

vault write auth/approle/login role_id=<role id> secret_id=<secret id>

检索令牌以进行身份验证。然后，您可以将该标记用于 vault login，或将其设置为 VAULT_TOKEN 作为环境变量。

在 Vault 代理和 Vault 服务器之间成功集成应用程序角色后权限被拒绝

Permission denied after successful app role integration between vault agent and vault server

authentication

docker

hashicorp-vault