Vault Credential Setup

ghardak · July 22, 2021, 2:21pm

Trying to setup credential brokering for boundary using vault cloud, but keep getting the following error when trying to create the stores.

Error from controller when performing create on vault-type credential store

Error information:
  Kind:                Internal
  Message:             credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
  unknown: error #0: Error making API request.```

anyone hit this before?

mgaffney · July 22, 2021, 6:08pm

It looks like the Vault token you provided doesn’t have the necessary permissions. Did you give the token the permissions in the sample Vault Boundary Controller Policy in the docs?

ghardak · July 23, 2021, 12:54pm

Hi @mgaffney

Token is generated using the controller policy from the docs, but i think your right that its a permission issue with the token. Might be an additional permission missing that is required when using vault enterprise. Currently digging into the logs to see whats going on.

mgaffney · July 23, 2021, 1:21pm

Hi @ghardak

The VAULT_TOKEN environment variable could be causing a problem if it is set. Not sure if that is helpful but I thought I should mention it. Also, are you using Vault namespaces?

louisruch · July 23, 2021, 1:42pm

Hey @ghardak

Louis here from the Boundary team, firstly thank you for trying Boundary! Apart from the namespace question from @mgaffney I have two quick follow up questions re your issue:

Is that the full error message you are seeing? Looking at the code, the message should be including some more detail at the end - there might be a bug that is truncating that.
The specific error you are getting happens when Boundary is trying to verify the Vault capabilities, would it be possible for you to verify being able to reach this endpoint manually, and post the response here? /sys/capabilities-self - HTTP API | Vault by HashiCorp

ghardak · July 23, 2021, 3:06pm

Hi @louisruch,

We are using a Vault Namespaces for each environment, full error message from the controller is below, will run the http api request and see what the output response is.

Error from controller when performing create on vault-type credential store

Error information:
  Kind:                Internal
  Message:             credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
  unknown: error #0: Error making API request.

  URL: POST https://****/v1/sys/capabilities-self
  Code: 403. Errors:

  * 1 error occurred:
  * permission denied


  Status:              500
  context:             Error from controller when performing create on vault-type credential store```

louisruch · July 23, 2021, 4:26pm

Hey @ghardak

The 403 seems to indicate @mgaffney was on the correct track. It would be interesting to see the results from manually attempting this.