Hi community,
I set up a vault to save some of my secrets on my IoT device. I use filesystem as the storage backend.
I’m getting Vault up on systemd. Every time the device starts, the Vault server is running. I also wrote a bash script to automate operations. With this script unlock the lock, run the secret engine (KV v1) and get Vault ready. I also added this script to systemd to runafter Vault service. My structures are as follows:
/etc/systemd/system/multi-user.target/vault.service :
[Unit]
Description=vault server
[Service]
Restart=on-failure
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecStop=/usr/bin/vault operator step-down
[Install]
WantedBy=multi-user.target
/etc/systemd/system/multi-user.target/vault-seal-manager.service :
[Unit]
Description=Vault Initialization and Seal Manager
After=vault.service
[Service]
User=root
ExecStart=/usr/local/bin/vault_seal_manager.sh
[Install]
WantedBy=multi-user.target
When I run my script via the command line, I have no problems but when I run it as a service (* systemctl start vault-seal-manager.service *), I get an error on the line where I run the KV secret engine. The error is as follows:
...
Code: 400. Errors:
* missing client token
I couldn’t understand why. When I run the script via the command line, I do not receive this error, but why do I get it when I run it as a service? How can I fix this error?
Thanks.
In addition, I use this command for enable kv secret engine in my bash script :
vault secrets enable -version=1 kv
And then i coming this error:
● vault-seal-manager.service - Vault Initialization and Seal Manager
Loaded: loaded (/lib/systemd/system/vault-seal-manager.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2020-02-17 14:47:27 UTC; 131ms ago
Process: 1966 ExecStart=/usr/bin/vault_seal_manager.sh (code=exited, status=0/SUCCESS)
Main PID: 1966 (code=exited, status=0/SUCCESS)
Feb 17 14:47:09 imx6ul-var-dart systemd[1]: Started Vault Initialization and Seal Manager.
Feb 17 14:47:16 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:16 02/17/20]-[INFO]: Got unseal keys successfull...
Feb 17 14:47:16 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:16 02/17/20]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys...
Feb 17 14:47:22 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:22 02/17/20]-[INFO]: Checking local seal status...
Feb 17 14:47:26 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:26 02/17/20]-[INFO]: Local Vault instance is now unsealed!
Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: Error enabling: Error making API request.
Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: URL: POST https://127.0.0.1:8200/v1/sys/mounts/kv
Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: Code: 400. Errors:
Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: * missing client token
Hi @memrekaraaslan!
Apparently, you don’t have an active Vault token set to your environment (e.g. you didn’t login).
If you run vault secrets enable -version=1 kv, the Vault CLI will normally first check if a token has been set via the VAULT_TOKEN environment variable. If that is not the case, the Vault CLI tries to lookup a token in the ~/.vault_token file.
Cheers,
Michel
Hi @michelvocks
I understood you but my script is doing to this. Before run the vault kv secret engine enable command, I write to token in ~/.vault_token file.
But my problem is not solved. What can I do for this ?
Thanks,
Emre