Facing a issue with hasicorp

I have a server (A) where i have installed the hasicorp listenning on https::8200, and i have approle enabled on this vault i have a service running on server (B), and configured all the needed details like roleid,secretid in server (B) but when i try to enbale vault on server (B) its throwing permission denied error can you please help me here

– verified on Server (A)
it is having all access to path in .hcl file
using same command vault read -secreid <> roleid <> giving result in server (A) but on server (B) throwing permission error 403

Any help will be appreciated, stuck with this from last 3 days can some one can help me here

Hi @devraj.v619 ,

Sounds like you are trying to set up Vault on your own compute instances (enterprise or community)? This was tagged for the HCP, and HCP Consul categories so just trying to make sure I understand what you are trying to set up.

Can you please confirm which of the scenarios you are working on?

1. Server A is running Vault server, and server B is trying to read a secret from Vault on server A?

   or

2. Server A is running Vault server, and you are trying to set up server B to be the 2nd node in a Vault cluster?

Using community edition hasicorp vault, as i have a mysql server running on server B and vault running on server A as per the doc https://dev.mysql.com/blog-archive/mysql-keyring-now-speaks-hashicorp-vault/ i have did all the steps at the last step mysql is throwing permission denied error when i try to read the data using the roleid and secret id from server B even im getting same permission denied 403 error

Thanks for confirming and sharing the link you’re following. I will try to take a look at the MySQL tutorial in a few days in more detail. Caveat, it’s been many years since I’ve supported MySQL, so certainly not an expert there.

Off the top of my head, since you’re running Vault and MySQL on two separate instances, you can try and update your Vault config to:

listener "tcp" {
  address="0.0.0.0:8200"
  tls_cert_file="/home/username/certificates/vault.crt"
  tls_key_file="/home/username/certificates/vault.key"
}
 
storage "file" {
  path = "/home/username/vaultstorage/storage"
}
 
ui = true

# Advertise the non-loopback interface
api_addr = "https://actual-IP-serverA:8200"
cluster_addr = "https://actual-IP-serverA:8201"

I think the MySQL tutorial assumes you are running both MySQL and Vault on the same instance (e.g. both on serverA).

Setting the TCP listener to 0.0.0.0:8200 and setting the API and cluster addr to the actual IP of serverA will allow incoming connections on IPs other than localhost/127.0.0.1.

If you look at the output from the " Configuring the plugin" section, it shows the URL as for k_h_commit_server_url and k_h_server_url connecting to https://127.0.0.1:8200 which is literally looking at itself/serverB.

Thank you @jonathanfrappier for the reply,

i tried the above config still im getting the same error

I will try to review in the next few days. Until then, you may get more help by posting this with some additional detail (such as your Vault config) in the Vault category instead of HCP rather than just tagging it Vault.

Sure posting the details

Hi @jonathanfrappier @azamb5010_adss Thank you for the help posting below is my configartion in vault server (Server A)

Vault.hcl [Server A]
ui = true
cluster_addr = “https://1.2.3.4:8201”
api_addr = “https://1.2.3.4:8200”

storage “file” {
path = “/path/to/vault/data”
}

listener “tcp” {
address = “1.2.3.4:8200”
tls_cert_file = “/path/to/full-chain.pem”
tls_key_file = “/path/to/private-key.pem”
}

mysql.hcl [ role]
path “kv/mysql/*” {
capabilities = [“create”, “read”, “update”, “delete”, “list”]
}

== command used for approle
vault policy write mysql-policy mysql.hcl
vault write auth/approle/role/mysql policies=mysql-policy

vault read auth/approle/role/mysql/role-id

vault write -f auth/approle/role/mysql/secret-id

[mysqld]
early-plugin-load=keyring_hashicorp.so
keyring_hashicorp_role_id=‘ee3b495c-d0c9-11e9-8881-8444c71c32aa’
keyring_hashicorp_secret_id=‘0512af29-d0ca-11e9-95ee-0010e00dd718’
keyring_hashicorp_store_path=‘/v1/kv/mysql’
keyring_hashicorp_auth_path=‘/v1/auth/approle/login’

The tutorial and associated documentation from MySQL has some info gaps for a MySQL novice like myself, but one thing you may need to try adding to your MySQL configuration:

--keyring_hashicorp_server_url=https://1.2.3.4:8200

That was the only bit from the documentation that stood out given your scenario of having Vault and MySQL running on different instances.

I tried to start up a MySQL container with the config file suggested in the doc you provided a link to, but it won’t stay running. Seems to fail to start if I pass the --early-plugin-load parameter. Guessing that is not supported by the MySQL container image.

I’ve meticulously configured Vault on my primary server (Server A), ensuring flawless operation with AppRole authentication. When I attempt to replicate christmas spin wheel this success on a secondary server (Server B) using identical Role ID and Secret ID credentials, a persistent permission denied error (403). My rigorous verification of credentials, meticulous network configuration, and meticulous policy setup within Vault, the elusive resolution remains beyond my grasp.

Hi @kivenmerakh

I would suggest starting a new post in the Vault topic, as this topic is for the HashiCorp Cloud Platform. You may get some additional people to see the post.

Also, if you can share some more details in your new post, that would be helpful as well. Is server (A) and server (B) part of the same cluster? Different clusters? Also sharing your Vault configuration would be helpful.