Using vault 1.6.2 and 1.5.3 I am/was trying to use the vault agent auto-auth with the cert auth method.
I can successfully login and get tokens with the CLI and API using curl as seen:
HERE
sudo -u vault -E /usr/local/bin/vault login -method=cert -path=cert/certs/test0/ -client-cert=/etc/pki/tls/certs/machine.pem -client-key=/etc/pki/tls/certs/machine.key name=p5520
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.Key Value
token s.6qIIi9T7gvoOmLyVW7123456
token_accessor REhHEhJv89F3OYizwqr12345
token_duration 768h
token_renewable true
token_policies [“test”]
identity_policies
policies [“test”]
token_meta_common_name p5520-ada.domain.us
token_meta_serial_number 345185377614830858
token_meta_subject_key_id 51:77:01:60:d8:22:a9:01:1e:79:05:68:f2:77:02:9b:3b:31:e3:00
token_meta_authority_key_id 06:d9:9f:85:c0:07:11:04:f2:72:49:45:20:22:25:35:9e:45:1a:3c
token_meta_cert_name p5520
and HERE
sudo -u vault curl \
--request POST \ --cert "/etc/pki/tls/certs/machine.pem" \ --key "/etc/pki/tls/certs/machine.key" \ --data '{"name": "p5520"}' \ https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/login{“request_id”:“0cb89ae4-f353-f548-fef6-836f5d06d02d”,“lease_id”:“”,“renewable”:false,“lease_duration”:0,“data”:null,“wrap_info”:null,“warnings”:null,“auth”:{“client_token”:“s.IQHi4lE3OrG8A0vlskVuQG3L”,“accessor”:“9fxoyhm3yPl0dq7PQhCEjSTz”,“policies”:[“test”],“token_policies”:[“test”],“metadata”:{“authority_key_id”:“06:d9:9f:85:c0:07:11:04:f2:72:49:74:20:22:25:35:9e:99:1a:3c”,“cert_name”:“p5520”,“common_name”:“p5520-ada.domain.us”,“serial_number”:“345185377614830858”,“subject_key_id”:“51:77:01:60:d8:22:a9:01:1e:79:05:68:f2:77:02:9b:3b:31:e3:00”},“lease_duration”:2764800,“renewable”:true,“entity_id”:“5fcb2a3e-f22e-ceaa-d31b-9d387529d657”,“token_type”:“service”,“orphan”:true}}
It is not working with the agent…
as seen here
sudo -u vault /usr/local/bin/vault agent -config=/etc/vault.d/vault.hcl
==> Vault agent started! Log data will stream in below:==> Vault agent configuration:
Api Address 1: http://127.0.0.1:8200 Cgo: disabled Log Level: info Version: Vault v1.6.2 Version Sha: be65a227ef2e80f8588b3b13584b5c0d9238c1d72021-02-02T13:59:23.485-0700 [INFO] sink.file: creating file sink
2021-02-02T13:59:23.486-0700 [INFO] sink.file: file sink configured: path=/var/vault/token mode=-rw-r-----
2021-02-02T13:59:23.486-0700 [INFO] template.server: starting template server
2021-02-02T13:59:23.486-0700 [INFO] template.server: no templates found
2021-02-02T13:59:23.486-0700 [INFO] auth.handler: starting auth handler
2021-02-02T13:59:23.486-0700 [INFO] auth.handler: authenticating
2021-02-02T13:59:23.486-0700 [INFO] sink.server: starting sink server
2021-02-02T13:59:23.576-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.URL: PUT https://active.vault.service.consul.domain.us:8200/v1/cert/certs/test0/login
Code: 403. Errors:
- 1 error occurred:
- permission denied
" backoff=1.990850627
The config for the agent:
vault {
tls_disable = false
client_key = “/etc/pki/tls/certs/machine.key”
client_cert = “/etc/pki/tls/certs/machine.pem”
ca_cert = “/etc/pki/ca-trust/source/anchors/CA.pem”
address = “https://active.vault.service.consul.domain.us:8200”
}
pid_file = “/var/vault/.pidfile”
exit_after_auth = false
auto_auth {
method “cert” {
name = “p5520”
mount_path = “cert/certs/test0”
}
sink “file” {
config = {
path = “/var/vault/token”
}
}
}
Is there something missing from the agent config that would be causing this difference?