Unable to update existing approle

Vault
1

Hi,
I am trying to update an existing AppRole which is access restricted using secret_id_bound_cidrs. Basically I am trying to update secret_id_bound_cidrs to include a new CIDR block. But when I use

vault write /auth/approle/role/my-role secret_id_bound_cidrs="cidr1","cidr2"

I am getting the error

Code: 500. Errors:

* 1 error occurred:
	* role_id already in use

How to fix this ?
Vault version is 1.3.0

2

The syntax of your command looks fine to me.

Also, it works fine for me:

$ vault write auth/approle/role/my-role secret_id_bound_cidrs=10.0.0.0/8
Success! Data written to: auth/approle/role/my-role
$ vault write auth/approle/role/my-role secret_id_bound_cidrs=10.0.0.0/8,192.168.0.0/24
Success! Data written to: auth/approle/role/my-role

But…

that is an exceptionally old Vault version. It is very possible that this is affected by a bug which was fixed in later versions.

EDIT: Although, downloading Vault 1.3.0 and running a quick test using a -dev server works too, at least with my basic test above. There must be some other subtlety about your setup that is not reflected in your question.

3

Having taken a quick look at the code in Git, I cannot see any way that error could occur when you are not changing the role_id of the role… unless, possibly some internal data in Vault is corrupt through some kind of bug.

I wonder, might this approle name contain uppercase letters and have been initially created using an even older version of Vault?

It might potentially be worth trying to change this role’s role_id to something else, and back to the original value. (Of course, be wary of issues if any production systems need logins using this role to continue to work.)

Alternatively, you could delete the role and recreate it.

4

Data being corrupt is a possibility. We have multiple approles defined in the vault server.
But for only one specific role alone, we are facing this issue. That role name is alphanumeric in lower case. Other roles are updating with the same command

5

That sounds like strong confirmation that something has gone wrong with internal data stored in Vault.

You will likely need to proceed with one of: