Duplicating it’s here assuming that I might miss/misunderstood something.
Envconul tries to renew wrapping token instead of the initial (wrapped) one.
Although the unwrapping process itself actually works (envconsul is able to retrieve secrets), the Vault token connot renewed which leads to child process fail once it expires.
Because of this issue, there’s currently no use of using wrapping in envconsul
envconsul v0.9.0 (fd1ee3c)
# envconsul -pristine -no-prefix -vault-token=$token -vault-unwrap-token -secret dev-db/creds/test bash ./main.sh 2019/10/24 13:52:10.886593 [WARN] vault.token: failed to renew: Error making API request. URL: PUT https://vault.example.com/v1/auth/token/renew-self Code: 403. Errors: * permission denied 2019/10/24 13:52:10.886637 [WARN] vault.token: renewer returned (maybe the lease expired) PWD=/git/yo/terraform/stacks/dev/test username=xxxxxxx SHLVL=1 password=xxxxxxx _=/usr/bin/env . . .
Envconsul must renew the initial token received after unwrap operation.
Instead, envconsul tries to renew the wrapping token.
Steps to reproduce
- Create new wrapped token
- Provide wrapping token to envconsul
- Run envconsul with