Hi,
I have a vault container that unseals itself and performs the following operations:
Steps performed:
- Enabled AppRole
- Created policy with required permissions.
- Created role
- Updated role-id, used this url auth/approle/role//role-id role_id=
- Generated custom secret id for the role generated in step 4, used this url auth/approle/role//custom-secret-id
I have services that uses role-id and secret-id generated by vault container for login to vault server.
for login api used is: /v1/auth/approle/login
Login generates a token which has TTL of 7 days, this token is used for further operations like encryption, decryption etc(using transit path)
Services have a timer that renews this login token(token generated while login) every 24 hours. For token renewal api used is: /v1/auth/token/renew-self
Normally self token renewal works fine, every 24 hours services are able to renew their token and all other operations work fine but suddenly I started to face issues after token renewal.
I faced two issues:
Issue 1: For 4 services token renewal was successful but after token renewal, token stopped working (maybe became invalid not sure) and I started to get “permission denied” from vault server for all the operations like encrypt, decrypt, token lookup etc.
Issue 2: For 1 service token renewal itself failed and I got this error “lease expired”.
Lease expires in these scenarios 1) token is not renewable 2) token has already been revoked 3) token has already reached its maximum TTL.
But none of these scenarios was true for my service token. 24 hours back token was renewed successfully and all the operations(encryption/decryption) were passing.
My services were up and running from almost 30 days without any problem and token renewal was happening successfully everyday and then suddenly I started to see this problem. Please help me with your suggestions.
I am using vault:1.2.2
token lookup output:
{
“request_id”:“e0f7b371-8404-076f-35b6-6d3f6bd632e4”,
“lease_id”:"",
“renewable”:false,
“lease_duration”:0,
“data”:{
“accessor”:“",
“creation_time”:1594226358,
“creation_ttl”:604800,
“display_name”:“approle”,
“entity_id”:“86492651-3794-6f1b-b045-7c66390379e6”,
“expire_time”:“2020-08-07T16:39:18.104648864Z”,
“explicit_max_ttl”:0,
“id”:"***”,
“issue_time”:“2020-07-08T16:39:18.819083678Z”,
“last_renewal”:“2020-07-08T17:56:18.104649004Z”,
“last_renewal_time”:1594230978,
“meta”:{
“role_name”:“apprwrole”
},
“num_uses”:0,
“orphan”:true,
“path”:“auth/approle/login”,
“policies”:[
“app-rw-auth”,
“default”
],
“renewable”:true,
“ttl”:2587347,
“type”:“service”
},
“wrap_info”:null,
“warnings”:null,
“auth”:null
}
Thanks