Search code examples
concoursehashicorp-vault

Integrating Concourse with Vault with approle

Environment:

OS: Ubuntu 18.04 LTS
Concourse: 3.14.0 - install type: binary
Vault: 0.10.3
Using approle

Greetings,

Trying to configure credential management with Vault. Consul + Vault is operating normally. I've configured my Concourse server to have the following parameters:

File: concourse-web

CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PASSWORD=XXXXXXXX
CONCOURSE_POSTGRES_SSLMODE=disable
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_TSA_LOG_LEVEL=debug
CONCOURSE_LOG_LEVEL=debug
CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=debug
CONCOURSE_BASIC_AUTH_USERNAME=concourse
CONCOURSE_BASIC_AUTH_PASSWORD=XXXXXXXXXX
CONCOURSE_EXTERNAL_URL=http://server001.cglab.localnet.local:8080
CONCOURSE_VAULT_URL="http://192.168.163.134:8200"
CONCOURSE_VAULT_PATH_PREFIX="/concourse"
CONCOURSE_VAULT_AUTH_BACKEND="approle"
CONCOURSE_VAULT_AUTH_PARAM="role_id=XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3,secret_id=XXXXXXX-XXXX-08ae-a356-edca9006d04a"
CONCOURSE_VAULT_INSECURE_SKIP_VERIFY=true

Created policy, enabled approle, created role_id, secret_id.

Now, when I start my Concourse, the log displays the following:

Journal entries:

Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.749084949","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.259793043","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.232575417","source":"atc","message":"atc.build-tracker.track.done","log_lev
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.219762087","source":"atc","message":"atc.listening","log_level":1,"data":{"
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.218845844","source":"atc","message":"atc.build-tracker.track.start","log_le
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.216697931","source":"tsa","message":"tsa.listening","log_level":1,"data":{}
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.113752604","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:31 server001 systemd[1]: Started Concourse CI web process (ATC and TSA).

File: /var/log/syslog

Jul 18 13:52:50 server001 concourse[1461]: {"timestamp":"1531936370.941136837","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3745"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021310568","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3746"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021309853","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"22.3385"}}

What am I missing? Why Concourse cannot unseal the Vault ? I though may be if I put client_token, it would unseal it (CONCOURSE_VAULT_CLIENT_TOKEN="XXXXX-XXXX-3797-6194-8bc92b65231d"), but it did not help.

I can confirm that role_id and secret_id work, using API call:

curl -k -XPOST -d '{"role_id":"XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3","secret_id":"XXXXXXX-XXXX-08ae-a356-edca9006d04a "}' http://192.168.163.132:8200/v1/auth/approle/login | jq

{
  "request_id": "82f2e7f8-821e-0a17-acbb-e79f88bbc4b3",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": [
    "period of \"10h0m0s\" exceeded the effective max_ttl of \"30m0s\"; period value is capped accordingly"
  ],
  "auth": {
    "client_token": "XXXXXXX-XXX-fdf7-34d9-305e413fa2c7",
    "accessor": "5f267fb8-e3ac-7e13-adbb-bf4445725d78",
    "policies": [
      "concourse",
      "default"
    ],
    "token_policies": [
      "concourse",
      "default"
    ],
    "metadata": {
      "role_name": "concourse"
    },
    "lease_duration": 1800,
    "renewable": true,
    "entity_id": "11a0d4ac-10aa-0d62-2385-9e8071fc4185"
  }
}

As you see above, it is all good. Why is it Concourse is failing to authenticate and unseal Vaul?

Any direction, feedback, help is greatly appreciated!!

Solution

  • Sealing and unsealing are pretty much manual processes. Concourse can't unseal the Vault (it can't even reach the auth backend), so you have to handle this process by yourself.

    If you want to keep Vault sealed while Councourse is not using it, you should make some simple scripts; otherwise you can keep it unsealed: data will be protected anyway, and only authorized request can retrieve the data, sealing the Vault only in case of an emergency.

    (VAULT_CLIENT_TOKEN is not the unseal key)