Envconsul tries to renew Vault wrapping token instead of the initial (wrapped) one

PavelMikhailouski · October 24, 2019, 2:29pm

Duplicating it’s here assuming that I might miss/misunderstood something.

Description

Envconul tries to renew wrapping token instead of the initial (wrapped) one.
Although the unwrapping process itself actually works (envconsul is able to retrieve secrets), the Vault token connot renewed which leads to child process fail once it expires.

Because of this issue, there’s currently no use of using wrapping in envconsul

Envconsul version

envconsul v0.9.0 (fd1ee3c)

Command

# envconsul -pristine -no-prefix -vault-token=$token -vault-unwrap-token -secret dev-db/creds/test bash ./main.sh 
2019/10/24 13:52:10.886593 [WARN] vault.token: failed to renew: Error making API request.

URL: PUT https://vault.example.com/v1/auth/token/renew-self
Code: 403. Errors:

* permission denied
2019/10/24 13:52:10.886637 [WARN] vault.token: renewer returned (maybe the lease expired)
PWD=/git/yo/terraform/stacks/dev/test
username=xxxxxxx
SHLVL=1
password=xxxxxxx
_=/usr/bin/env
. . .

Debug output

gist.github.com

https://gist.github.com/PavelMikhailouski/47623ec4850ffe4a98e6615f8e4fa9f8

envconsul.log

2019/10/24 13:59:15.910156 [INFO] envconsul v0.9.0 (fd1ee3c7)
2019/10/24 13:59:15.910201 [INFO] (runner) creating new runner (once: false)
2019/10/24 13:59:15.911168 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"bash ./main.sh","Enabled":true,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":0},"KillSignal":2,"LogLevel":"debug","MaxStale":2000000000,"PidFile":"","Prefixes":[],"Pristine":true,"ReloadSignal":1,"Sanitize":false,"Secrets":[{"Format":"","NoPrefix":true,"Path":"dev-db/creds/test"}],"Syslog":{"Enabled":false,"Facility":"LOCAL0"},"Upcase":false,"Vault":{"Address":"https://vault.example.com","Enabled":true,"Grace":15000000000,"Namespace":"","RenewToken":true,"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000},"UnwrapToken":true},"Wait":{"Enabled":false,"Min":0,"Max":0}}
2019/10/24 13:59:16.705847 [INFO] (runner) creating watcher
2019/10/24 13:59:16.705918 [DEBUG] (watcher) adding vault.token
2019/10/24 13:59:16.705982 [INFO] looking at vault dev-db/creds/test
2019/10/24 13:59:16.706221 [INFO] (runner) starting
2019/10/24 13:59:16.706332 [DEBUG] (watcher) adding vault.read(dev-db/creds/test)
2019/10/24 13:59:17.398169 [WARN] vault.token: failed to renew: Error making API request.

This file has been truncated. show original

Expected behavior

Envconsul must renew the initial token received after unwrap operation.

Actual behavior

Instead, envconsul tries to renew the wrapping token.

Steps to reproduce

Create new wrapped token
Provide wrapping token to envconsul
Run envconsul with -vault-unwrap-token option

Topic		Replies	Views
Unable to renew token autounseal Vault vault	6	717	May 9, 2022
Vault agent permission denied when performing renew-self operation Vault consul-template , vault	3	6261	August 19, 2024
Tokens becomes invalid after self renewal Vault	0	542	July 9, 2020
Envconsul v0.12.1 Consul envconsul	0	541	November 17, 2021
Forget vault root token Vault	10	3946	December 8, 2020