Vault: TTL is ignored when configuring GCP Secrets Engine in 1.4.x

Created on 1 May 2020  ·  5Comments  ·  Source: hashicorp/vault

Describe the bug
I am no longer able to set a ttl at the engine level for the GCP Secrets Engine in 1.4.x. Vault seems to ignore it and still use the default 768h lease duration.

To Reproduce
Steps to reproduce the behavior:

$ vault secrets enable gcp
Success! Enabled the gcp secrets engine at: gcp/

$ vault write gcp/config [email protected] ttl=5m max_ttl=10m
Success! Data written to: gcp/config

$ vault write gcp/roleset/my-key-roleset ...
Success! Data written to: gcp/roleset/my-key-rolese

$ vault read gcp/key/my-key-roleset
Key                 Value
---                 -----
lease_id            gcp/key/my-key-roleset/...
lease_duration      768h

Expected behavior
The lease on the service account key to be what I set in the ttl when I wrote my config to the secrets engine. This was working 1.3.5.

Environment:

  • Vault Server Version (retrieve with vault status): 
$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.4.1
Cluster Name    vault-cluster-9ca70095
Cluster ID      8cfc955f-0ae1-1885-69b2-5042f6bf2e8e
HA Enabled      false
  • Vault CLI Version (retrieve with vault version): Vault v1.4.1
  • Server Operating System/Architecture: MacOS / Darwin amd 64
bug
Source
picture arctiqjacob

Most helpful comment

This has been addressed and will be part of the the next minor release. Thank you!

picture kalafut on 7 May 2020
👍2

All 5 comments

Thanks for reporting this, and I've reproduced this behavior as of 1.4.0. As a workaround, can you try tuning the backend directly with: vault secrets tune -default-lease-ttl=5m -max-lease-ttl=10m gcp

kalafut picture kalafut on 1 May 2020

@kalafut tried that workaround and that does work. 

$ vault secrets tune -default-lease-ttl=5m -max-lease-ttl=10m gcp
Success! Tuned the secrets engine at: gcp/
$ vault read gcp/key/my-key-roleset                              
Key                 Value
---                 -----
lease_id            gcp/key/my-key-roleset/7paq1fdD3GNhDhSRaBHJOMfr
lease_duration      5m

I should also note that setting the ttl when reading the roleset worked as well before tuning:

$ vault read gcp/key/my-key-roleset ttl=5m
Key                 Value
---                 -----
lease_id            gcp/key/my-key-roleset/5cAFuy61nGE6UAlGksvz5WqS
lease_duration      5m

So it just seems its not working at the engine level.

arctiqjacob picture arctiqjacob on 1 May 2020

This has been addressed and will be part of the the next minor release. Thank you!

kalafut picture kalafut on 7 May 2020
👍2

@husunal Your example seems to be working as expected. The original issue was that setting the /config values didn't have any effect, but in your case you're setting the config and they are used for creds generation. Config values take precedence over the tune settings so the subsequent vault secrets tune wouldn't have any effect.

kalafut picture kalafut on 11 Nov 2020

@kalafut thanks, you are right. Also, in my tests, the lowest value took precedence over. Please see below.

❯ vault write gcp5/config max_ttl=1h
Success! Data written to: gcp5/config

❯ vault secrets tune -max-lease-ttl=30m gcp5
Success! Tuned the secrets engine at: gcp5/

❯ vault read sys/mounts/gcp5/tune
Key                  Value
---                  -----
default_lease_ttl    768h
description          n/a
force_no_cache       false
max_lease_ttl        30m

❯ vault read gcp5/config
Key        Value
---        -----
max_ttl    1h
ttl        0s

❯ vault read gcp5/key/my-key-roleset ttl=45m
WARNING! The following warnings were returned from Vault:

  * TTL of "45m" exceeded the effective max_ttl of "30m"; TTL value is capped accordingly

Key                 Value
---                 -----
lease_id            gcp5/key/my-key-roleset/qPUUTI6ogykjQfe0ATFHehFB
lease_duration      30m
lease_renewable     true

❯ vault write gcp5/config max_ttl=10m && vault secrets tune -max-lease-ttl=5m gcp5
Success! Data written to: gcp5/config
Success! Tuned the secrets engine at: gcp5/

❯ vault read gcp5/key/my-key-roleset ttl=45m
WARNING! The following warnings were returned from Vault:

  * TTL of "45m" exceeded the effective max_ttl of "5m"; TTL value is capped accordingly

Key                 Value
---                 -----
lease_id            gcp5/key/my-key-roleset/TxLWNYiailrUAFVwfa6c3HgX
lease_duration      5m
lease_renewable     true

❯ vault write gcp5/config max_ttl=10m && vault secrets tune -max-lease-ttl=20m gcp5
Success! Data written to: gcp5/config
Success! Tuned the secrets engine at: gcp5/

❯ vault read gcp5/key/my-key-roleset ttl=45m
WARNING! The following warnings were returned from Vault:

  * TTL of "45m" exceeded the effective max_ttl of "10m"; TTL value is capped accordingly

Key                 Value
---                 -----
lease_id            gcp5/key/my-key-roleset/trjP9QDw9J3nkqGTEG0lp83a
lease_duration      10m
lease_renewable     true
husunal picture husunal on 11 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

trodemaster picture trodemaster  ·  3Comments
weisinc picture weisinc  ·  3Comments
Wonder007 picture Wonder007  ·  3Comments
tustvold picture tustvold  ·  3Comments
gtmtech picture gtmtech  ·  3Comments