Vault: Getting "permission denied" when requesting db credentials even when using the root token
Environment:
Vault v0.9.0 ('bdac1854478538052ba5b7ec9a9ec688d35a3335')
Archlinux client - debian host
Hi!
I am trying to use the db backend using the postgresql plugin, and I get a consistent 403 when I try to read credentials from some roles, while it works fine while reading credentials from other, identical roles. This is even true when using the root token.
I have the following config:
[~]$ vault read database/config/stag-org-service
Key Value
--- -----
allowed_roles [stag-org-service]
connection_details map[max_open_connections:1000 connection_url:postgresql://user:[email protected]:5432/org_service max_connection_lifetime:5s]
plugin_name postgresql-database-plugin
Then, I define the following roles:
[~]$ vault read database/roles/stag-org-service
Key Value
--- -----
creation_statements CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES in SCHEMA public TO "{{name}}";
db_name stag-org-service
default_ttl 120
max_ttl 300
renew_statements
revocation_statements
rollback_statements
and
[~]$ vault read database/roles/stag-org-service-developer
Key Value
--- -----
creation_statements CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES in SCHEMA public TO "{{name}}";
db_name stag-org-service
default_ttl 120
max_ttl 300
renew_statements
revocation_statements
rollback_statements
notice that they are identical except for the name (that's just for testing btw as is the short ttls). Then, when I try to read the stag-org-service, I get:
[~]$ vault read database/creds/stag-org-service
Key Value
--- -----
lease_id database/creds/stag-org-service/6f6a2fd8-42e6-4840-3fcb-2cea1f713ee1
lease_duration 2m0s
lease_renewable true
password A1a-vqy09y5vp3u18090
username v-token-stag-org-06qtt4545x639w709r8y-1510762572
Which is fine, but when I try to read stag-org-service-developer I get:
[~]$ vault read database/creds/stag-org-service-developer
Error reading database/creds/stag-org-service-developer: Error making API request.
URL: GET https://vault.address:8200/v1/database/creds/stag-org-service-developer
Code: 403. Errors:
* 1 error occurred:
* permission denied
Which is not. But everything is identical between these two roles, and I get this even while using a root token!
Thanks!
dansteen
>All comments
aaannnd I figured it out right after posting this (after banging my head against it all day yesterday, upgrading vault, etc etc.)
i had to add stag-org-service-developer to:
allowed_roles [stag-org-service]
on the config.
ah well. Thanks!
dansteen
on 15 Nov 2017
Related issues
maxsivanov
路
3Comments
tustvold
路
3Comments
anthonyGuo
路
3Comments
mfischer-zd
路
3Comments
ngunia
路
3Comments
Most helpful comment
aaannnd I figured it out right after posting this (after banging my head against it all day yesterday, upgrading vault, etc etc.)
i had to add
stag-org-service-developerto:on the config.
ah well. Thanks!