Token unable to lookup / renew self even with default policy attached

Hi there

Testing Vault here, version v1.5.3. I have an approle. I generate a “TEST” token. The default policy (the vault default one untweaked) is attached. But I can’t seems to lookup-self or renew-self.

The approle

root@i-0ea3899fb8d4801ce:~# vault read auth/approle/role/haproxy
Key                        Value
---                        -----
bind_secret_id             false
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         40
secret_id_ttl              10m
token_bound_cidrs          [172.16.0.0/12]
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             10
token_period               1m
token_policies             [certificates_r]
token_ttl                  20m
token_type                 default

Irrelevant imho, but the certificates_r policy

root@i-0ea3899fb8d4801ce:~# vault policy read certificates_r
path "kv/certificates/*" {
  capabilities = ["read","list"]
}

The default policy is untouched, here’s the token/*-self bit

root@i-0ea3899fb8d4801ce:~# vault policy read default
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

# Allow tokens to renew themselves
path "auth/token/renew-self" {
    capabilities = ["update"]
}
...

Creating the “TEST” token, everything seems fine

root@i-0ea3899fb8d4801ce:~# export TEST=$(curl -s --request POST --data '{"role_id":"e5fc738e-1d1f-5987-b4a4-eec845bd2d26"}' http://vault.service.development.wazo:8200/v1/auth/approle/login | jq -r ".auth.client_token")

root@i-0ea3899fb8d4801ce:~# echo $TEST
s.zSWg28jux6ijL8aj3s47JCVv

root@i-0ea3899fb8d4801ce:~# vault token lookup $TEST
Key                 Value
---                 -----
accessor            mI4zxUZPyEeJRUbnL7hsz30a
bound_cidrs         [172.16.0.0/12]
creation_time       1599731362
creation_ttl        1m
display_name        approle
entity_id           d78ae33e-3ab3-2e28-89ea-d803e4e1f59e
expire_time         2020-09-10T09:50:22.771351672Z
explicit_max_ttl    0s
id                  s.zSWg28jux6ijL8aj3s47JCVv
issue_time          2020-09-10T09:49:22.77140828Z
meta                map[role_name:haproxy]
num_uses            10
orphan              true
path                auth/approle/login
policies            [certificates_r default]
renewable           true
ttl                 47s
type                service

But no lookup or renew allowed

root@i-0ea3899fb8d4801ce:~# VAULT_TOKEN=$TEST vault token lookup $TEST
Error looking up token: Error making API request.

URL: POST http://localhost:8200/v1/auth/token/lookup
Code: 403. Errors:

* permission denied

root@i-0ea3899fb8d4801ce:~# VAULT_TOKEN=$TEST vault token renew
Error renewing token: Error making API request.

URL: PUT http://localhost:8200/v1/auth/token/renew-self
Code: 403. Errors:

* permission denied

I’m at a loss, what am I missing ? I read the doc again, I’m not doing anything else than the tutorial here. I tried any combination of vault login, curl & so on, I just can’t do anything with the approle’s token.

Thanks for helping :slight_smile:

I have been playing with this functionality this week, and found some unexpected behaviour working with bound_cidrs. Are you able to do a quick test to see if it works without the bound_cidrs range?

I found in my HA vault setup, I needed to include the IPs of all the vault hosts for this to work.

Hell that was the mask. Added 127.0.0.1/32, works like a charms… thanks !