Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Credential Store failed because of deprecated Vault token field check #1604

Open
BrandonIngalls opened this issue Oct 15, 2021 · 3 comments
Open

New Credential Store failed because of deprecated Vault token field check #1604

BrandonIngalls opened this issue Oct 15, 2021 · 3 comments
Assignees
@ddebko
Labels
triage

Comments

@BrandonIngalls
Copy link

Describe the bug

Boundary throws an error message when you provide a vault token that does not use the deprecated period field.

To Reproduce

  1. Create a vault role for the credential store 
    [~]$ vault write auth/token/roles/boundary-cv-infra \
  allowed_policies=boundary-cv-infra \
  token_period=48h \
  orphan=true \
  token_type=service
Success! Data written to: auth/token/roles/boundary-cv-infra
  2. Create a vault token to give to boundary 
    [~]$ vault token create -role boundary-cv-infra
Key                  Value
---                  -----
token                s.aaaaaaaaaaaaaaaaaaaaaaaa
token_accessor       22xJTqzjqy6gFNj6XiNeYsi5
token_duration       48h
token_renewable      true
token_policies       ["boundary-cv-infra" "default"]
identity_policies    []
policies             ["boundary-cv-infra" "default"]

# NOTE: The token does not have a `period` field
[~]$ vault token lookup -format=json s.aaaaaaaaaaaaaaaaaaaaaaaa
{
  "request_id": "1abeb012-96af-bf91-604f-4c38c4cfd1c2",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "accessor": "22xJTqzjqy6gFNj6XiNeYsi5",
    "creation_time": 1634273154,
    "creation_ttl": 172800,
    "display_name": "token",
    "entity_id": "",
    "expire_time": "2021-10-17T04:45:54.495810945Z",
    "explicit_max_ttl": 0,
    "id": "s.aaaaaaaaaaaaaaaaaaaaaaaa",
    "issue_time": "2021-10-15T04:45:54.495818449Z",
    "meta": null,
    "num_uses": 0,
    "orphan": true,
    "path": "auth/token/create/boundary-cv-infra",
    "policies": [
      "boundary-cv-infra",
      "default"
    ],
    "renewable": true,
    "role": "boundary-cv-infra",
    "ttl": 172028,
    "type": "service"
  },
  "warnings": null
}
  3. Try to create a credential store 
    Error
credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: vault token is not a periodic token, vault token issue: error #3011

Expected behavior

I think the Credential Store should get created since the token I created is periodic.

Additional context

I'm not 100% sure, but I think this might be related to this check https://github.com/hashicorp/boundary/blob/v0.6.2/internal/credential/vault/repository_credential_store.go#L237-L239

Boundary will create a credential store if you manually create a token using the deprecated period field.

# NOTE: Manually creating a token with the deprecated `period` option works
[~]$ vault token create -orphan=true -period=2h -policy=boundary-cv-infra 
Key                  Value
---                  -----
token                s.bbbbbbbbbbbbbbbbbbbbbbbb
token_accessor       e3w8rNmSapG3n9bpMaYG0X9j
token_duration       2h
token_renewable      true
token_policies       ["boundary-cv-infra" "default"]
identity_policies    []
policies             ["boundary-cv-infra" "default"]

# NOTE: the response has `period`
[~]$ vault token lookup -format=json s.bbbbbbbbbbbbbbbbbbbbbbbb
{
  "request_id": "8bc354b7-76b0-c5cd-6750-68751f5237b6",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "accessor": "e3w8rNmSapG3n9bpMaYG0X9j",
    "creation_time": 1634273854,
    "creation_ttl": 7200,
    "display_name": "token",
    "entity_id": "",
    "expire_time": "2021-10-15T06:57:34.648644267Z",
    "explicit_max_ttl": 0,
    "id": "s.bbbbbbbbbbbbbbbbbbbbbbbb",
    "issue_time": "2021-10-15T04:57:34.648649387Z",
    "meta": null,
    "num_uses": 0,
    "orphan": true,
    "path": "auth/token/create",
    "period": 7200,
    "policies": [
      "boundary-cv-infra",
      "default"
    ],
    "renewable": true,
    "ttl": 7186,
    "type": "service"
  },
  "warnings": null
}

Possibly related nomad PR hashicorp/nomad#6574
@grantorchard
Copy link
Contributor

Thanks Brandon, I ran into this too.

@mgaffney mgaffney self-assigned this Oct 18, 2021
@gsusmi gsusmi added the triage label Jan 25, 2022
@louisruch louisruch assigned ddebko and unassigned mgaffney May 31, 2022
@thanks4wifi
Copy link

thanks4wifi commented Aug 25, 2022
edited

I just ran into this bug too, it looks like the period field was deprecated in Vault 1.2.0 (2019)

[~]$ vault version
Vault v1.11.2 (3a8aa12eba357ed2de3192b15c99c717afdeb2b5), built 2022-07-29T09:48:47Z

[~]$ vault path-help auth/token/roles/new-role | grep 'period (duration (sec))' -m 1 -A 3

    period (duration (sec))

        (DEPRECATED) Use 'token_period' instead.

@thanks4wifi
Copy link

still broken years later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ddebko ddebko

Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gsusmi @mgaffney @BrandonIngalls @grantorchard @ddebko @thanks4wifi