Vault Agent Template: Get PKI CRL


what’s the correct way to the the PKI CRL with agent template?

Currently, i am using:
{{ with secret "pki-root/cert/crl" }}{{ .Data.certificate }}{{ end }}

This works, but i get the following message in the logs: failed to check if pki-root/cert/crl is KVv2, assume not: Error making API request.#012#012URL: GET https://active.vault.service.consul:8200/v1/sys/internal/ui/mounts/pki-root/cert/crl#012Code: 403. Errors:#012#012* preflight capability check returned 403, please ensure client’s policies grant access to path “pki-root/cert/crl/”

This is a PKI, not a secrets store.

Must i grant access to “ki-xyz/cert/crl/” suppress this message or is there a better way to get the CRL?


Ah, right. I see what’s going on here, but only by putting together a few obscure facts about Vault that are not well documented.

The “preflight capability check” basically means making a request to sys/internal/ui/mounts/<path you are about to access> to find out what kind of mount it is. The reason software does this, is to find out if it’s about to access a KV v2 secret engine, in which case, inserting an extra /data/ path segment into the URL is necessary, to map between the “conceptual” path as an UI user thinks of it, and the URL path.

Normally, the sys/internal/ui/mounts/:path endpoint doesn’t require any special permissions, as it has built in special logic that allows it to return data, if the user has any permissions at all within the mount being queried.

But in this case, <pki engine>/cert/crl is an anonymously accessible endpoint, so your identity can read it, without having any permissions at all.

In this case, the workaround is to grant permissions to absolutely any path within the relevant mount. Even this policy would actually work:

path "pki-root/a-nonexistent-path-so-that-sys-internal-ui-mounts-will-return-info-about-this-mount" {
  capabilities = ["list"]

Is there a way to get a better handling?
Add an additional option like:
{{ with secret "pki-root/cert/crl" kv_version="1" }}{{ .Data.certificate }}{{ end }}

The templating system doesn’t provide any option like that: consul-template/ at main · hashicorp/consul-template · GitHub

You could open a GitHub issue at GitHub - hashicorp/consul-template: Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data. to take that up with the project involved, but right now just adding a policy to Vault is going to be the viable workaround.