We have setup a nodejs application to access vault secrets through an approle+secretId combination… It works fine sometimes but fails sometimes with - permission denied. And later after a few hours, with no code changes, it is working again…
I wonder whether it’s something to do with how you’ve configured the AppRole, maybe around TTLs? Could you share (sanitised) statements showing how you configured it?
I am using settings from the default approle definition
So, the settings as listed in this DevDot tutorial, you mean, for example?
vault write auth/approle/role/jenkins \ secret_id_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \ secret_id_ttl=60m \ secret_id_num_uses=5 \ enable_local_secret_ids=false \ token_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \ token_num_uses=10 \ token_ttl=1h \ token_max_ttl=3h \ token_type=default \ period="" \ policies="default","test"
Can you pls reply… We have already been using the vault in this configuration and have saved more than a dozen secrets in the kv store. And then we faced this issue and now unable to access the vault …
Do you have any audit devices enabled?
The audit logs can be reviewed to see which request(s) are failing and may provide some clues as to why it’s failing.