Templated ACL policy, randomly returns permission denied

dchepishev · August 31, 2023, 7:50am

Hello,

I am using 3 x Vault v1.14.2 instances in cluster with raft storage.
The cluster is updated regularly and all seemed to work OK, until I faced the following problem:

I have this very simple ACL:

path “secrets_mount/data/level2_test/{{identity.entity.aliases.auth_approle_xxxxxxxx.metadata.server}}” {
capabilities = [“create”, “update”]
}

path “secrets_mount/metadata/level2_test/{{identity.entity.aliases.auth_approle_xxxxxxxx.metadata.server}}” {
capabilities = [“read”]
}

Due to some reason, the above ACL do not always work
If I start a cycle and start iterating multiple times to get the metadata (the second ACL), very soon at some point I start getting ‘Permission Denied’, for no obvious reason and before the token is expired.

If I replace the second ACL with wildcard, like this:

path “secrets_mount/metadata/level2_test/*” {
capabilities = [“read”]
}

All is good, I can always read the metadata.

The same behavior I get for the first ACL, when I try to update the vault object. It just do not work sometimes.
Since there are around 200 app using this store, some of them are getting permission denied immediately, i.e., the authenticate and on the first try to update their allowed path they get permission denied…

If they try second time to authenticate and try to write, it works in most of the cases.

Unfortunatelly I can not put a wildcard for the first ACL, and preferrably do not want to create separate ACL for each app/machine connecting to the vault, this was the reason to use templating.

I tried to reproduce the same behavior on test instance inmemory and with raft backend, but was unable to reproduce it elsewhere.

Does anyone have any suggestions how can I fix this?

Thank you.

maxb · August 31, 2023, 8:03am

You have not explained how this “server” metadata is being set.

I’m pretty sure the problem lies in that.

dchepishev · August 31, 2023, 8:10am

I do not set metadata manually anywhere.
This is ACL for password rotation.

The servers regularly rotate passwords and save them in the vault.
The metadata read is needed so they can compare the date of the last change and make a decision if rotation is necessary or not. So metadata is set by the vault itself, the apps are only reading it, and more precisely the time of modification/creation

dchepishev · August 31, 2023, 8:14am

If you mean this metadata:

auth_approle_xxxxxxxx.metadata.server

It is attached to the secret_id, and looks like this:

{
  "metadata": "{\"server\": \"aaa.bbb.ccc\", \"type\": \"server_type\", \"path\": \"secret_mount/data/level2_test/aaa.bbb.ccc\" }"
}

maxb · August 31, 2023, 8:35am

This is indeed the problem. The design of Vault’s metadata system does not support this usage pattern. Each time a different Secret ID is used to authenticate, it overwrites the metadata on the Identity, which is one-per-Role ID.

You are not the first person to run into this issue.

You will need to provide each server with an entirely separate AppRole, rather than Secret IDs within a role.

dchepishev · August 31, 2023, 10:38am

Hello,
You are correct, creating separate role and secretid for each instance of the app fixed the issue.
Thank you.

Topic		Replies	Views
ACL Policy - permission denied Vault	3	1271	November 9, 2021
Templated Policies for K8s Vault k8s , vault	1	275	May 17, 2022
Sys/internal/ui/mounts deny question Vault acl , vault	3	19	November 12, 2024
`vault list sys/policy` works but `vault policy list` returns permission denied Vault	3	1038	August 6, 2021
Kubernetes auth method getting permission denied Vault vault	3	349	January 17, 2023

Templated ACL policy, randomly returns permission denied

Related topics