Envconsul tries to renew Vault wrapping token instead of the initial (wrapped) one

Duplicating it’s here assuming that I might miss/misunderstood something.


Envconul tries to renew wrapping token instead of the initial (wrapped) one.
Although the unwrapping process itself actually works (envconsul is able to retrieve secrets), the Vault token connot renewed which leads to child process fail once it expires.

Because of this issue, there’s currently no use of using wrapping in envconsul :frowning:

Envconsul version

envconsul v0.9.0 (fd1ee3c)


# envconsul -pristine -no-prefix -vault-token=$token -vault-unwrap-token -secret dev-db/creds/test bash ./main.sh 
2019/10/24 13:52:10.886593 [WARN] vault.token: failed to renew: Error making API request.

URL: PUT https://vault.example.com/v1/auth/token/renew-self
Code: 403. Errors:

* permission denied
2019/10/24 13:52:10.886637 [WARN] vault.token: renewer returned (maybe the lease expired)
. . .

Debug output

Expected behavior

Envconsul must renew the initial token received after unwrap operation.

Actual behavior

Instead, envconsul tries to renew the wrapping token.

Steps to reproduce

  1. Create new wrapped token
  2. Provide wrapping token to envconsul
  3. Run envconsul with -vault-unwrap-token option

Original Issue