Vault Credential Setup

Boundary
#1

Trying to setup credential brokering for boundary using vault cloud, but keep getting the following error when trying to create the stores.

Error from controller when performing create on vault-type credential store

Error information:
  Kind:                Internal
  Message:             credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
  unknown: error #0: Error making API request.```

anyone hit this before?
#2

It looks like the Vault token you provided doesn’t have the necessary permissions. Did you give the token the permissions in the sample Vault Boundary Controller Policy in the docs?

#3

Hi @mgaffney

Token is generated using the controller policy from the docs, but i think your right that its a permission issue with the token. Might be an additional permission missing that is required when using vault enterprise. Currently digging into the logs to see whats going on.

#4

Hi @ghardak

The VAULT_TOKEN environment variable could be causing a problem if it is set. Not sure if that is helpful but I thought I should mention it. Also, are you using Vault namespaces?

#5

Hey @ghardak

Louis here from the Boundary team, firstly thank you for trying Boundary! Apart from the namespace question from @mgaffney I have two quick follow up questions re your issue:

  1. Is that the full error message you are seeing? Looking at the code, the message should be including some more detail at the end - there might be a bug that is truncating that.
  2. The specific error you are getting happens when Boundary is trying to verify the Vault capabilities, would it be possible for you to verify being able to reach this endpoint manually, and post the response here? /sys/capabilities-self - HTTP API | Vault by HashiCorp
#6

Hi @louisruch,

We are using a Vault Namespaces for each environment, full error message from the controller is below, will run the http api request and see what the output response is.

Error from controller when performing create on vault-type credential store

Error information:
  Kind:                Internal
  Message:             credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to get vault capabilities:
  unknown: error #0: Error making API request.

  URL: POST https://****/v1/sys/capabilities-self
  Code: 403. Errors:

  * 1 error occurred:
  * permission denied


  Status:              500
  context:             Error from controller when performing create on vault-type credential store```
#7

Hey @ghardak

The 403 seems to indicate @mgaffney was on the correct track. It would be interesting to see the results from manually attempting this.

#8

Having similar issue. Trying to connect boundary to HCP vault.
Specified admin namespace as a flag but I get permission denied.
Manually I get a response that is not permission denied.

#9

Which build are you on @Lev1? This was an issue that got fixed in the 0.7 release.

Cheers,
Grant