Missing: vault.read(kv/dev/servicename)

santrosyansevak · June 20, 2022, 12:30pm

Hello,

I am getting the following error, when trying to deploy the nomad job. Is anyone know whats the issue and how can we solve the problem ? The issue has been started previous week. The vault version 1.10.4 , after downgrading to 1.10.0 the same issue is persists.

vault.read(kv/development/servicename): failed to check if kv/development/servicename is KVv2, assume not: Error making API request.

URL: GET http://active.vault.service.consul:8200/v1/sys/internal/ui/mounts/kv/development/servicename
Code: 403. Errors:

preflight capability check returned 403, please ensure client’s policies grant access to path “kv/development/servicename/”
2022-06-20T07:29:49.717Z [WARN] agent: (view) vault.read(kv/development/servicename): vault.read(kv/development/servicenamei): Error making API request.

URL: GET http://active.vault.service.consul:8200/v1/kv/development/servicename
Code: 403. Errors:

1 error occurred:
* permission denied

santrosyansevak · June 20, 2022, 12:41pm

And this is the part of nomad script that was deployed and even worked earlier.

      vault {
        policies = ["servicename-dev"]
      }

      template {
        destination = "services.env"
        env         = true
        change_mode = "restart"
        data        = <<EOH
SERVICENAME_ADDRESS={{range $index, $service := service (printf "servicename-%s" (env "NOMAD_NAMESPACE"))}}{{.Address}}:{{.Port}} {{end}}
SERVICENAME_ADDRESS={{range $index, $service := service (printf "servicename-%s" (env "NOMAD_NAMESPACE"))}}{{.Address}}:{{.Port}} {{end}}
SERVICENAME_ADDRESS={{range $index, $service := service (printf "servicename-%s" (env "NOMAD_NAMESPACE"))}}{{.Address}}:{{.Port}} {{end}}
SERVICENAME_ADDRESS={{range $index, $service := service (printf "grpc.schedules-%s" (env "NOMAD_NAMESPACE"))}}{{.Address}}:{{.Port}} {{end}}
SERVICENAME_ADDRESS={{range $index, $service := service (printf "grpc.trips-%s" (env "NOMAD_NAMESPACE"))}}{{.Address}}:{{.Port}} {{end}}
{{ with secret "kv/dev/servicename" }}
JWT_PUBLIC_KEY={{ .Data.data.jwt_public_key }}
{{ end }}
EOH
      }

    ```

aram · June 20, 2022, 4:57pm

The error is most likely a permission denied from Vault. Looks like the role you created and are authnting to that is trying to create your nomad token is missing a vault policy or the policy is misconfigured (missing the path to the secret you’re asking for).

Most likely “kv/development/servicename/” or possibly “kv/data/development/servicename/” if you’re using a KV v2 engine.

Topic		Replies	Views
Problem getting vault secrets in a Nomad job Vault vault , nomad-release	18	6548	January 31, 2022
Integration problem with nomad and vault Nomad vault	1	886	August 25, 2020
Secrets from Vault (Missing: vault.read(secrets/xxxxx)) Nomad vault	2	37	November 25, 2024
Cannot fetch a consul kv into a nomad job Nomad consul	2	606	March 20, 2023
Nomad with Vault Workload Identity permission denied on 1 client Nomad	0	27	September 5, 2024

Missing: vault.read(kv/dev/servicename)

Related topics