0

Im new to hashicorp vault. I created a docker-compose file and some other files to add some configurations. I did that because I dont want to create the secrets and approle by hand when run it in another computer. It's just for learning purposes.

I've been trying for 2 days, and I have no idea of what I'm doing wrong. After running the docker-compose, I enter the container and run these commands:

  • this one runs witout any problem.

/bin/sh docker-compose-configs/vault-config/init-vault.sh

  • But in this one, I get a error
    / # vault list auth/approle/role
    Error listing auth/approle/role: Error making API request.
    
    URL: GET http://127.0.0.1:8200/v1/auth/approle/role?list=true
    Code: 403. Errors:

    * permission denied

These are the files I have:

Docker-compose:

version: '3'

services:
  vault:
    image: vault:latest
    container_name: ticketflow-vault
    ports:
      - "8200:8200"
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: ticketflow-token
      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
      VAULT_ADDR: "http://127.0.0.1:8200"
    cap_add:
      - IPC_LOCK
    restart: always
    volumes:
      - vault-data:/vault/file
      - vault-logs:/vault/logs
      - ./vault-config:/docker-compose-configs/vault-config
volumes:
  vault-data:
  vault-logs:

config.hcl:

storage "file" {
  path = "/vault/file"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

ui = true
api_addr = "http://127.0.0.1:8200"

init-vault.sh:

#!/bin/sh

chmod +x /docker-compose-configs/vault-config/*.sh
/docker-compose-configs/vault-config/import-approle.sh
/docker-compose-configs/vault-config/import-secrets.sh

import-secrets.sh:

#!/bin/sh

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'

while true; do
  vault_status=$(vault status -format=json)
  if echo "$vault_status" | grep -q '"sealed": false'; then
    break
  fi
  sleep 5
done

echo "Importing secrets..."
while read line; do
  key=$(echo $line | cut -d '=' -f 1)
  value=$(echo $line | cut -d '=' -f 2)
  echo "Importing secret: authentication.$key"
  vault kv put secret/ticketflow/development/authentication.$key value=$value
done < /docker-compose-configs/vault-config/secrets.txt

echo "Secrets imported successfully."

import-approle.sh:

#!/bin/sh

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'

vault auth enable approle

vault policy write ticketflow -<<EOT
path "secret/ticketflow/development/*" {
  capabilities = ["read", "list"]
}
path "auth/approle/role/*" {
  capabilities = ["read", "list", "create", "update"]
}
path "sys/policies/acl/*" {
  capabilities = ["read"]
}
EOT

vault write auth/approle/role/ticketflow \
    token_policies="ticketflow" \
    token_ttl=1h \
    token_max_ttl=24h \
    secret_id_num_uses=0 \
    secret_id_ttl=0 \
    token_num_uses=0 \
    token_period=0

vault write auth/approle/role/ticketflow \
    token_policies="ticketflow" \
    token_ttl=1h \
    token_max_ttl=24h

vault read auth/approle/role/ticketflow/role-id
vault write -f auth/approle/role/ticketflow/secret-id

secrets.txt:

client_secret=45edaa89-16cb-41e2-aee5-970ab971ee9c
client_id=Authentication-client
REALM=TicketFlow
Ivan Starostin
  • 8,798
  • 5
  • 21
  • 39
paulo
  • 31
  • 3
  • This feels like a total anti-pattern. What do the vault logs show. How are you getting the vault token for the approle, you show how you configure the policy and KV but you dont show how your then retrieving those to set the app role secrets and using then to obtain the approle token. You are also hardcoding secrets and tokens which is the complete opposite point of using vault to not have to hardcode these in the first place. – Chris Doyle Apr 22 '23 at 16:19
  • I would guess env variables in `docker-compose.yml` probably should be quoted, have you tried that? `VAULT_DEV_ROOT_TOKEN_ID: "ticketflow-token"` – Don't Panic Apr 24 '23 at 10:53

0 Answers0