Check out our blog on managing Consul ACLs with Terraform and Vault! Please post questions or comments here.
3 Likes
2 Likes
Hello, Thanks for the blog. I am trying to replicate the steps at my environment and I am facing a strange error that I don’t know how to debug.
here are the steps that I execute:
main.tf
resource "vault_consul_secret_backend" "this" {
path = "consul"
description = "Manages the Consul backend"
token = data.aws_secretsmanager_secret_version.consul.secret_string
address = "consul.service.brain.consul:8500"
scheme = "https"
ca_cert = "/etc/core/runner_tls/cachain.pem"
client_cert = "/etc/core/runner_tls/consul.pem"
client_key = "/etc/core/runner_tls/consul.key"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 3600
}
resource "vault_consul_secret_backend_role" "this" {
name = "consul-admin-role"
backend = vault_consul_secret_backend.this.path
policies = [
"consul-admin-policy",
]
}
list roles
curl \
--header "X-Vault-Token: s.xxx" \
--request LIST \
https://vault.service.brain.consul:8200/v1/consul/roles \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output
{"request_id":"9c2ed5dd-c54e-a6d2-8020-4cfbe3d108d9","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["consul-admin-role"]},"wrap_info":null,"warnings":null,"auth":null}
show role
curl \
--header "X-Vault-Token: s.xxx" \
https://vault.service.brain.consul:8200/v1/consul/roles/consul-admin-role \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output
{"request_id":"76b01250-2ab3-0b61-6646-fe1dfa3eca5f","lease_id":"","renewable":false,"lease_duration":0,"data":{"lease":0,"local":false,"max_ttl":0,"policies":["consul-admin-policy"],"token_type":"client","ttl":0},"wrap_info":null,"warnings":null,"auth":null}
get role token
curl \
--header "X-Vault-Token: s.xxx" \
https://vault.service.brain.consul:8200/v1/consul/creds/consul-admin-role \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output (ERROR)
{"errors":["1 error occurred:\n\t* tls: failed to find any PEM data in certificate input\n\n"]}
The vault token that I am using;
Key Value
--- -----
token n/a
token_accessor n/a
token_duration 7h47m28s
token_renewable true
token_policies ["consul-secrets-policy" "default" "token-auth-policy" "vault-admin-policy"]
identity_policies []
policies ["consul-secrets-policy" "default" "token-auth-policy" "vault-admin-policy"]
token_meta_account_id xxx
token_meta_auth_type iam
token_meta_role_id x-x-x-x-x
consul-secrets-policy:
path "/consul/config/access" {
capabilities = ["create","update"]
}
path "/consul/roles/*" {
capabilities = ["create","update"]
}
path "/consul/roles/*" {
capabilities = ["read"]
}
path "/consul/creds/*" {
capabilities = ["read"]
}
path "/consul/roles" {
capabilities = ["list"]
}
path "/consul/roles/*" {
capabilities = ["delete"]
}
consul-admin-policy:
# https://www.consul.io/api-docs/agent#retrieve-host-information
operator = "write"
acl = "write"
# https://www.consul.io/api-docs/catalog#list-nodes-for-service
agent "" {
policy = "write"
}
agent_prefix "" {
policy = "write"
}
service "" {
policy = "write"
}
service_prefix "" {
policy = "write"
}
node "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "write"
}
any ideas how to solve this one?