Vault / Nomad not renewing postgres token correctly

Vault
1

I’m having an issue where Vault or Nomad doesn’t seem to update a vault role lease properly for my postgres db. I have a role set up for vaultwarden there, and it works fine for about a day, then it seems to lose permissions and I get a database permissions error in the logs when I try to log into the vaultwarden web ui.

According to the vaultwarden docs the db user should have these privileges:

CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword';
GRANT all privileges ON database vaultwarden TO vaultwarden;

The vault role is set up like this with Terraform (each.value will be vaultwarden for this role). I use these same statements for other services like huginn without issues:

resource "vault_database_secret_backend_role" "role" {
  for_each    = local.postgres_services
  backend     = vault_mount.postgres.path
  name        = each.value
  db_name     = each.value
  default_ttl = "3600"
  max_ttl     = "86400"

  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
    "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"{{name}}\";",
    "GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO \"{{name}}\";",
    "REASSIGN OWNED BY ${each.value} TO \"{{name}}\";",
  ]

  renew_statements = [
    "ALTER ROLE \"{{name}}\" VALID UNTIL '{{expiration}}';",
  ]

  revocation_statements = [
    "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\";",
    "REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM \"{{name}}\";",
    "REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM \"{{name}}\";",
    "REVOKE ALL PRIVILEGES ON SCHEMA public FROM \"{{name}}\";",
    "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM \"{{name}}\";",
    "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM \"{{name}}\";",
    "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM \"{{name}}\";",
    "REVOKE USAGE ON SCHEMA public FROM \"{{name}}\";",
    "REASSIGN OWNED BY \"{{name}}\" TO ${each.value};",
    "DROP USER \"{{name}}\";",
  ]
}

in the nomad job I just use my vault policy to give the task access to the postgres engine and then I have this templated for the relevant environment variable:

{{ with secret "postgres/creds/vaultwarden" -}}
DATABASE_URL='postgresql://{{ .Data.username }}:{{ .Data.password }}@postgres.service.consul:5432/vaultwarden?application_name=vaultwarden')
{{- end }

The max_ttl for the vault role is 24h as you can see, so I’m guessing that once it runs out the issue appears, but I’m not sure why Nomad isn’t just renewing the lease and keep running.
The template above is also set to change_mode = restart

So what reason could there be for the database access to initially work for 24h when I start the vaultwarden service, and then after about a day it loses permissions? If I stop the Nomad job and start it up again the service works for another day before it fails again.

2

I’d like an answer for this as well. I’m about to deploy a similar setup and am just wondering how to actually trigger a lease renewal. Is it supposed to happen automatically? The OP’s question seems to suggest that it does not.

3

Nomad is supposed to automatically update the lease, but there is something preventing it from doing so, whether it’s misconfiguration or a bug I can’t say as I’ve received no response.

Yesterday I finally decided to back out of using this feature for now so that whatever is wrong might end up getting patched, or I’ll stumble on the solution somehow elsewhere, but it hasn’t been working for me at all for a couple of months and I can’t be bothered anymore.

I opened a github issue for this, but no responses there either: Nomad not renewing Vault database engine token correctly · Issue #15714 · hashicorp/nomad · GitHub