Vault missing client token when start on systemd

Hi community,

I set up a vault to save some of my secrets on my IoT device. I use filesystem as the storage backend.

I’m getting Vault up on systemd. Every time the device starts, the Vault server is running. I also wrote a bash script to automate operations. With this script unlock the lock, run the secret engine (KV v1) and get Vault ready. I also added this script to systemd to runafter Vault service. My structures are as follows:

/etc/systemd/system/multi-user.target/vault.service :

[Unit]
Description=vault server

[Service]
Restart=on-failure
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecStop=/usr/bin/vault operator step-down

[Install]
WantedBy=multi-user.target

/etc/systemd/system/multi-user.target/vault-seal-manager.service :

[Unit]
Description=Vault Initialization and Seal Manager
After=vault.service

[Service]
User=root
ExecStart=/usr/local/bin/vault_seal_manager.sh

[Install]
WantedBy=multi-user.target

When I run my script via the command line, I have no problems but when I run it as a service (* systemctl start vault-seal-manager.service *), I get an error on the line where I run the KV secret engine. The error is as follows:

...

Code: 400. Errors:
* missing client token

I couldn’t understand why. When I run the script via the command line, I do not receive this error, but why do I get it when I run it as a service? How can I fix this error?

Thanks.

In addition, I use this command for enable kv secret engine in my bash script :

vault secrets enable -version=1 kv

And then i coming this error:

    ● vault-seal-manager.service - Vault Initialization and Seal Manager
       Loaded: loaded (/lib/systemd/system/vault-seal-manager.service; enabled; vendor preset: enabled)
       Active: inactive (dead) since Mon 2020-02-17 14:47:27 UTC; 131ms ago
      Process: 1966 ExecStart=/usr/bin/vault_seal_manager.sh (code=exited, status=0/SUCCESS)
     Main PID: 1966 (code=exited, status=0/SUCCESS)

    Feb 17 14:47:09 imx6ul-var-dart systemd[1]: Started Vault Initialization and Seal Manager.
    Feb 17 14:47:16 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:16 02/17/20]-[INFO]: Got unseal keys successfull...
    Feb 17 14:47:16 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:16 02/17/20]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys...
    Feb 17 14:47:22 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:22 02/17/20]-[INFO]: Checking local seal status...
    Feb 17 14:47:26 imx6ul-var-dart vault_seal_manager.sh[1966]: VaultSealManager-[14:47:26 02/17/20]-[INFO]: Local Vault instance is now unsealed!
    Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: Error enabling: Error making API request.
    Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: URL: POST https://127.0.0.1:8200/v1/sys/mounts/kv
   Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: Code: 400. Errors:
    Feb 17 14:47:27 imx6ul-var-dart vault_seal_manager.sh[1966]: * missing client token

Hi @memrekaraaslan!

Apparently, you don’t have an active Vault token set to your environment (e.g. you didn’t login).
If you run vault secrets enable -version=1 kv, the Vault CLI will normally first check if a token has been set via the VAULT_TOKEN environment variable. If that is not the case, the Vault CLI tries to lookup a token in the ~/.vault_token file.

Cheers,
Michel

Hi @michelvocks

I understood you but my script is doing to this. Before run the vault kv secret engine enable command, I write to token in ~/.vault_token file.

But my problem is not solved. What can I do for this ?

Thanks,
Emre