Vault transit KMS

bbaassssiiee · October 22, 2020, 8:23pm

I’m trying to get Boundary to work with a Vault transit KMS using ansible-role-boundary

When launching with systemd on centos7 I see the error:
Worker Auth KMS not found after parsing KMS blocks

My /etc/boundary.d/boundary-controller.hcl

disable_mlock = true

controller {
  name = "client-controller"
  description = "Boundary controller."

  database {
      url = "postgresql://boundary:Qwerty67@client.consul/boundary"
  }
}

# API listener configuration block
listener "tcp" {
  # Should be the address of the NIC that the controller server will be reached on
  address = "10.0.3.98:9200"
  # The purpose of this listener block
  purpose = "api"

  tls_disable = true

  # Enable CORS for the Admin UI
  cors_enabled = false
}

# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
  # Should be the IP of the NIC that the worker will connect on
  address = "10.0.3.98:9201"
  # The purpose of this listener
  purpose = "cluster"

  tls_disable = true
}


kms "transit" {
  purpose            = "root"
  address            = "https://server01.consul:8200"
  token              = "s.gibbersish"
  disable_renewal    = "false"

  // Key configuration
  key_name           = "transit_key_name"
  mount_path         = "transit/"
  namespace          = "ns1/"

  // TLS Configuration
  tls_ca_cert        = "/etc/boundary.d/tls/consul-agent-ca.pem"
  tls_client_cert    = "/etc/boundary.d/tls/dc1-client-consul-0.pem"
  tls_client_key     = "/etc/boundary.d/tls/dc1-client-consul-0-key.pem"
  tls_server_name    = "server01.consul"
  tls_skip_verify    = "false"
}

bbaassssiiee · October 22, 2020, 9:13pm

Actually it seems to need a second block with:

kms "transit" {
   purpose     = "worker-auth"
  ...
}

This is not obvious from the docs.

malnick · October 22, 2020, 10:20pm

Thanks for trying out Boundary @bbaassssiiee!

You do need the three blocks specified in the example controller configuration: https://www.boundaryproject.io/docs/configuration/controller#complete-configuration-example

We can add a comment in that section that reaffirms that you need a minimum of two blocks for root and worker auth, and an optional one for recovery.

Great to see this working with Vault! Thanks again.

malnick · October 22, 2020, 10:28pm

Added https://github.com/hashicorp/boundary/pull/744 to clarify the KMS configuration for both controller and worker.

bbaassssiiee · October 23, 2020, 6:15am

I’m still trying to get it to work with a Vault transit KMS, mostly by trial and error because of lacking documentation. I got a transit engine, but it should get Vault policy (?) and a token tied to it that can be renewed by Boundary.

hijak · October 23, 2020, 7:49am

theres an example of the vault policy you need to make a token off here https://www.boundaryproject.io/docs/configuration/kms/transit

bbaassssiiee · October 23, 2020, 8:13am

I got that, and created a token tied to it, but the logs now have:

Oct 23 08:12:07 client.consul boundary[28867]: Log Level: info
Oct 23 08:12:07 client.consul boundary[28867]: Mlock: supported: true, enabled: true
Oct 23 08:12:07 client.consul boundary[28867]: Version: Boundary v0.1.0
Oct 23 08:12:07 client.consul boundary[28867]: Version Sha: e08ab98a2b128ee202eae46551da23c831b4acfc
Oct 23 08:12:07 client.consul boundary[28867]: ==> Boundary server started! Log data will stream in below:
Oct 23 08:12:07 client.consul boundary[28867]: 2020-10-23T08:12:07.840Z [INFO]  kms-worker-auth-transit: unable to renew token, disabling renewal: err="Error making API request.
Oct 23 08:12:07 client.consul boundary[28867]: URL: PUT https://server01.consul:8200/v1/auth/token/renew-self
Oct 23 08:12:07 client.consul boundary[28867]: Code: 400. Errors:
Oct 23 08:12:07 client.consul boundary[28867]: * invalid lease ID"
Oct 23 08:12:07 client.consul boundary[28867]: 2020-10-23T08:12:07.873Z [INFO]  controller: cluster address: addr=10.0.3.98:9201

hijak · October 23, 2020, 8:51am

does the token have the default policy also assigned? so it can self renew etc

how did you create the token for it?

jeff · October 26, 2020, 3:27pm

Generally speaking the best method of consuming Vault is to use Vault Agent and have Boundary simply connect to the local Agent listener. That way Agent is responsible for the lifecycle of the token, including reauthentication and renewals.

bbaassssiiee · October 29, 2020, 9:44am

I added the default policy:

vault token create -policy=default -policy=transit-policy

Still I get:

Oct 29 09:42:29 client.consul boundary[21269]: 2020-10-29T09:42:29.246Z [INFO]  kms-worker-auth-transit: unable to renew token, disabling renewal: err="Error making API request.
Oct 29 09:42:29 client.consul boundary[21269]: URL: PUT https://server01.consul:8200/v1/auth/token/renew-self
Oct 29 09:42:29 client.consul boundary[21269]: Code: 400. Errors:
Oct 29 09:42:29 client.consul boundary[21269]: * invalid lease ID"

jessequinn · October 30, 2020, 5:40pm

I was able to get Vault transit working, although I agree that the documentation may be confusing, however, the following policy works for me:

Create three transit keys (boundary-root, boundary-worker-auth, boundary-recovery)

# boundary-recovery
path "transit/encrypt/boundary-recovery" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-recovery" {
  capabilities = ["update"]
}

# boundary-worker-auth
path "transit/encrypt/boundary-worker-auth" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-worker-auth" {
  capabilities = ["update"]
}

# boundary-root
path "transit/encrypt/boundary-root" {
  capabilities = ["update"]
}

path "transit/decrypt/boundary-root" {
  capabilities = ["update"]
}

Create token:

vault token create -address="https://xxxx" -policy=boundary-kms-transit-policy

and the config

# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "transit" {
  purpose            = "root"
  address            = "https://xxxx"
  token              = "s.xxxx"
  disable_renewal    = "false"

  // Key configuration
  key_name           = "boundary-root"
  mount_path         = "transit/"
  namespace          = "ns1/"
}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "transit" {
  purpose            = "worker-auth"
  address            = "https://xxxx"
  token              = "s.xxxx"
  disable_renewal    = "false"

  // Key configuration
  key_name           = "boundary-worker-auth"
  mount_path         = "transit/"
  namespace          = "ns1/"
}

# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "transit" {
  purpose            = "recovery"
  address            = "https://xxxx"
  token              = "s.xxxx"
  disable_renewal    = "false"

  // Key configuration
  key_name           = "boundary-recovery"
  mount_path         = "transit/"
  namespace          = "ns1/"
}

Chilinot · March 15, 2021, 1:53pm

I had to add “create” capabilities to each path in the vault policy to get it working. In case someone else are unable to set this up like me. Just having “update” was not enough for my setup.