boundary
boundary copied to clipboard
hashicorp
New Credential Store failed because of deprecated Vault token field check
Describe the bug
Boundary throws an error message when you provide a vault token that does not use the deprecated period field.
To Reproduce
- Create a vault role for the credential store
[~]$ vault write auth/token/roles/boundary-cv-infra \ allowed_policies=boundary-cv-infra \ token_period=48h \ orphan=true \ token_type=service Success! Data written to: auth/token/roles/boundary-cv-infra - Create a vault token to give to boundary
[~]$ vault token create -role boundary-cv-infra Key Value --- ----- token s.aaaaaaaaaaaaaaaaaaaaaaaa token_accessor 22xJTqzjqy6gFNj6XiNeYsi5 token_duration 48h token_renewable true token_policies ["boundary-cv-infra" "default"] identity_policies [] policies ["boundary-cv-infra" "default"] # NOTE: The token does not have a `period` field [~]$ vault token lookup -format=json s.aaaaaaaaaaaaaaaaaaaaaaaa { "request_id": "1abeb012-96af-bf91-604f-4c38c4cfd1c2", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "accessor": "22xJTqzjqy6gFNj6XiNeYsi5", "creation_time": 1634273154, "creation_ttl": 172800, "display_name": "token", "entity_id": "", "expire_time": "2021-10-17T04:45:54.495810945Z", "explicit_max_ttl": 0, "id": "s.aaaaaaaaaaaaaaaaaaaaaaaa", "issue_time": "2021-10-15T04:45:54.495818449Z", "meta": null, "num_uses": 0, "orphan": true, "path": "auth/token/create/boundary-cv-infra", "policies": [ "boundary-cv-infra", "default" ], "renewable": true, "role": "boundary-cv-infra", "ttl": 172028, "type": "service" }, "warnings": null } - Try to create a credential store
Error credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: vault token is not a periodic token, vault token issue: error #3011
Expected behavior
I think the Credential Store should get created since the token I created is periodic.
Additional context
I'm not 100% sure, but I think this might be related to this check https://github.com/hashicorp/boundary/blob/v0.6.2/internal/credential/vault/repository_credential_store.go#L237-L239
Boundary will create a credential store if you manually create a token using the deprecated period field.
# NOTE: Manually creating a token with the deprecated `period` option works
[~]$ vault token create -orphan=true -period=2h -policy=boundary-cv-infra
Key Value
--- -----
token s.bbbbbbbbbbbbbbbbbbbbbbbb
token_accessor e3w8rNmSapG3n9bpMaYG0X9j
token_duration 2h
token_renewable true
token_policies ["boundary-cv-infra" "default"]
identity_policies []
policies ["boundary-cv-infra" "default"]
# NOTE: the response has `period`
[~]$ vault token lookup -format=json s.bbbbbbbbbbbbbbbbbbbbbbbb
{
"request_id": "8bc354b7-76b0-c5cd-6750-68751f5237b6",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"accessor": "e3w8rNmSapG3n9bpMaYG0X9j",
"creation_time": 1634273854,
"creation_ttl": 7200,
"display_name": "token",
"entity_id": "",
"expire_time": "2021-10-15T06:57:34.648644267Z",
"explicit_max_ttl": 0,
"id": "s.bbbbbbbbbbbbbbbbbbbbbbbb",
"issue_time": "2021-10-15T04:57:34.648649387Z",
"meta": null,
"num_uses": 0,
"orphan": true,
"path": "auth/token/create",
"period": 7200,
"policies": [
"boundary-cv-infra",
"default"
],
"renewable": true,
"ttl": 7186,
"type": "service"
},
"warnings": null
}
Possibly related nomad PR https://github.com/hashicorp/nomad/pull/6574
I just ran into this bug too, it looks like the period field was deprecated in Vault 1.2.0 (2019)
[~]$ vault version
Vault v1.11.2 (3a8aa12eba357ed2de3192b15c99c717afdeb2b5), built 2022-07-29T09:48:47Z
[~]$ vault path-help auth/token/roles/new-role | grep 'period (duration (sec))' -m 1 -A 3
period (duration (sec))
(DEPRECATED) Use 'token_period' instead.
