I am using the Hashivault agent in a Windows environment. And I have set it up as a windows service. Other API calls and CLI commands are working.
When i create a wrap request with some data in the request body i get the default TTL of 300s back. The “x-vault-wrap-ttl” value is somehow overwritten or ignored.
Invoke-WebRequest -URI "$VaultAddress/v1/sys/wrapping/wrap" `
-Headers @{
"X-Vault-Token" = $Token;
"X-Vault-Wrap-TTL" = "400s"
} `
-Method POST `
-Body $Body `
-ContentType $ContentType
I have also tried this with curl, same exact issue.
curl --header "X-Vault-Token:..." --header "X-Vault-Wrap-TTL=400s" --request POST --data "foo=bar" http://127.0.0.1:8200/v1/sys/wrapping/wrap
But if I use the vault agent CLI, it works and I get my preferred TTL. Therefore it can’t be an authorisation issue.
PS C:\HashiVault> .\vault write -wrap-ttl=80m sys/wrapping/wrap foo=bar
Key Value
--- -----
wrapping_token: hvs....
wrapping_accessor: ....
wrapping_token_ttl: 1h20m
wrapping_token_creation_time: 2024-08-...
wrapping_token_creation_path: sys/wrapping/wrap
I thank you for every help.
Odd, I’ve never used it with the API.
Maybe you are using Hashi Vault Servier in an older version or it could be a bug.
I have figured out the issue. If I send the request directly to the vault server without using the vault agent as a forwarding proxy, it works. Somehow the vault agent overrides the setting.
But I don’t know where I can change this override.
What does your Vault agent config look like (de-identified please)? I have not used Vault agent, but looking over this doc:
Could wrap_ttl
be causing what you are seeing?
I created the configuration as per the documentation and looked at the udemy course to see if I encountered any issues.
pid_file = ".../agent.pid"
log_file = ".../agent-warning.log"
log_level = "trace"
vault {
address = "${env:VAULT_ADDR}"
}
auto_auth {
method "approle" {
mount_path = "auth/temp_approle"
min_backoff = "5s"
max_backoff = "60s"
exit_on_err = true
config = {
role_id_file_path = "...role.txt"
secret_id_file_path = "...secret.txt"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
wrap_ttl = "30m"
config = {
path = "...sink.json"
}
}
}
cache {
use_auto_auth_token = true
cache_duration = "60m"
max_entry_count = 0
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
retry {
num_retries = 5
retry_wait_min = "1s"
retry_wait_max = "5s"
}
}
The first time the approle works and my wrap_ttl is 30min. And for my approach, I need to unwrap and rewrap the token in the sink file. If I give the command directly to the server it works, but via the agent the agent overrides the value or ignores it - resulting in the default value for wrap_ttl of 5 minutes being used.
Looks like this may be a known issue:
opened 02:48PM - 29 Dec 21 UTC
core/token
agent
While working with one of the services in Kubernetes, we ran into a problem when… it is unable to set the wrap TTL for a token, created by the endpoint `sys/wrapping/wrap`. Whatever value was set, the TTL of the token was always 5 minutes. Although, the TTL worked fine with other endpoints.
After researching, we found out that it was caused by the vault-agent sidecar, which was running on the same pod with the service.
Because the vault agent doesn't have a custom wrapping lookup function, the default one will be used. [The default function](https://github.com/hashicorp/vault/blob/release/1.9.x/api/client.go#L1009.) always return the default value of `5m` for `sys/wrapping/wrap`.
The header of the request, which needs to be forwarded, then [gets copied](https://github.com/hashicorp/vault/blob/release/1.9.x/api/client.go#L1012) to a new one.
Because the `r.WrapTTL` of the request is not empty, it will [overwrite the header](https://github.com/hashicorp/vault/blob/release/1.9.x/api/request.go#L133) of the HTTP request, which will be sent out.
We were looking for a way to set the env variable `VAULT_WRAP_TTL` for the vault agent, but it doesn't seem to support it.
**To Reproduce**
1. Run a vault instance
2. Run a vault agent. It should point to the vault instance.
3. Create a service that uses the golang API [to write](https://github.com/hashicorp/vault/blob/main/api/logical.go#L134) to `sys/wrapping/wrap`. The API client should point to the vault agent. Set up a custom wrapping look-up function to return a constant.
```
client, _ := vaultAPI.NewClient(&vaultAPI.Config{
Address: "<vault-agent-address>",
})
client.SetWrappingLookupFunc(func(operation, path string) string {
return "30m"
})
...
client.Logical().Write("sys/wrapping/wrap", data)
...
```
4. Look up the token by `vault token lookup`.
5. The token TTL is 5m
**Expected behavior**
Token TTL is set to the value in the header `X-Vault-Wrap-TTL`
May be worth commenting to raise that its still on-going.