Search code examples
hashicorp-vaultvault

hashicorp vault agent template fails when starts with "no known secret ID"

Start vault agent using template:

vault agent -config=templates/config.hcl -log-level=debug

Fails with the following error:

[ERROR] auth.handler: error getting path or data from method: error="no known secret ID" backoff=2.438818298

Steps for reproduce the issue:

Policy:

path "my-app/data/testsecret/*" {
  capabilities = ["create", "update", "read"]
}

path "my-app/metadata/testsecret/*" {
  capabilities = ["list"]
}

Client config:

pid_file = "./pidfile"

vault {
  address = "http://XX.XX.XX.XX:XXXX"
}

auto_auth {
  method {
    type      = "approle"

    config = {
      role_id_file_path = "templates/roleid"
      secret_id_file_path = "templates/secretid"
    }
  }

  sink {
    type = "file"

    config = {
      path = "templates/file-foo"
    }
  }
}

template {
  source      = "templates/template.ctmpl"
  destination = "templates/render.txt"
}

template.ctmpl:

{{ with secret "my-app/data/testsecret" }}
passwd: {{ .Data.data.passwd }}
{{ end }}

I think that the secret exists:

$ vault kv get my-app/testsecret
====== Metadata ======
Key              Value
---              -----
created_time     2020-10-22T07:18:48.205108671Z
deletion_time    n/a
destroyed        false
version          6

===== Data =====
Key       Value
---       -----
passwd    cat

The secret is kv v2:

$ vault secrets list --detailed |grep my-app
my-app/       kv           kv_5898e685           system         system     false             replicated     false        false                      map[version:2]    n/a                                                        cd436e93-db3b-c317-1c31-6967c7b25764
Solution

  • Finally i can solve the issue recreating the secret-id:

    vault write -f auth/approle/role/test-role/secret-id

    And overwriting the secret_id_file_path (templates/secretid), after that the template has been rendered!!!

     vault agent -config=templates/config.hcl
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.5.4
             Version Sha: 1a730771ec70149293efe91e1d283b10d255c6d1

2020-10-22T13:28:59.096+0200 [INFO]  sink.server: starting sink server
2020-10-22T13:28:59.096+0200 [INFO]  auth.handler: starting auth handler
2020-10-22T13:28:59.097+0200 [INFO]  auth.handler: authenticating
2020-10-22T13:28:59.096+0200 [INFO]  template.server: starting template server
2020/10/22 11:28:59.097331 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.097874 [INFO] (runner) creating watcher
2020-10-22T13:28:59.125+0200 [INFO]  auth.handler: authentication successful, sending token to sinks
2020-10-22T13:28:59.125+0200 [INFO]  auth.handler: starting renewal process
2020-10-22T13:28:59.125+0200 [INFO]  template.server: template server received new token
2020/10/22 11:28:59.125672 [INFO] (runner) stopping
2020/10/22 11:28:59.125710 [INFO] (runner) creating new runner (dry: false, once: false)
2020/10/22 11:28:59.125847 [INFO] (runner) creating watcher
2020/10/22 11:28:59.125955 [INFO] (runner) starting
2020-10-22T13:28:59.161+0200 [INFO]  auth.handler: renewed auth token
2020/10/22 11:28:59.251586 [INFO] (runner) rendered "templates/render.txt" => "templates/_env"