Trying to setup credential brokering for boundary using vault cloud, but keep getting the following error when trying to create the stores.
Error from controller when performing create on vault-type credential store
Error information:
Kind: Internal
Message: credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
unknown: error #0: Error making API request.```
anyone hit this before?
It looks like the Vault token you provided doesn’t have the necessary permissions. Did you give the token the permissions in the sample Vault Boundary Controller Policy in the docs?
Token is generated using the controller policy from the docs, but i think your right that its a permission issue with the token. Might be an additional permission missing that is required when using vault enterprise. Currently digging into the logs to see whats going on.
The VAULT_TOKEN environment variable could be causing a problem if it is set. Not sure if that is helpful but I thought I should mention it. Also, are you using Vault namespaces?
Louis here from the Boundary team, firstly thank you for trying Boundary! Apart from the namespace question from @mgaffney I have two quick follow up questions re your issue:
Is that the full error message you are seeing? Looking at the code, the message should be including some more detail at the end - there might be a bug that is truncating that.
The specific error you are getting happens when Boundary is trying to verify the Vault capabilities, would it be possible for you to verify being able to reach this endpoint manually, and post the response here? /sys/capabilities-self - HTTP API | Vault by HashiCorp
We are using a Vault Namespaces for each environment, full error message from the controller is below, will run the http api request and see what the output response is.
Error from controller when performing create on vault-type credential store
Error information:
Kind: Internal
Message: credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
unknown: error #0: Error making API request.
URL: POST https://****/v1/sys/capabilities-self
Code: 403. Errors:
* 1 error occurred:
* permission denied
Status: 500
context: Error from controller when performing create on vault-type credential store```
Having similar issue. Trying to connect boundary to HCP vault.
Specified admin namespace as a flag but I get permission denied.
Manually I get a response that is not permission denied.
This looks like a permission error – does the Vault token you created for Boundary have policies associated with it that allow Boundary to read the secrets it needs to?
My goal is to use the credentials stored in Vault in order to hide them from the user and connect automatically to the instance,but still I have to pass it manually, the documentation has the analyst role able to connect postgres db without providing the credential.
Currently all credentials are passed directly back to users to be copy and paste into sessions. This workflow is something we are investigating to improve in future Boundary offerings.
The auto connect you are describing within the postgres command is actually a client side helper that uses the returned creds and passes them through. The end user will still be able to see these credentials by calling the API directly or running boundary authorize-session -id ttcp_1234567890
This functionality is not currently available for the ssh subcommand as most default ssh clients do not allow the password to be provided as a flag. We could look at potentially using something like sshpass, but the users will still be able to see these credentials if they wanted.
