boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Wrong key name in log output when using Azure Key Vault KMS

Open sym-stiller opened this issue 1 year ago • 0 comments

Describe the bug During startup, the Boundary controllers and workers write a few log lines which include the names of the keys that are in use. When using Azure Key Vault KMS, there is a bug that will only output the name of the last configured key, instead of all names.

Example output from my controller:

==> Boundary server configuration:

Azure Environment: AzurePublicCloud
Azure Environment: AzurePublicCloud
Azure Environment: AzurePublicCloud
Azure Key Name: boundary-recovery  <--- this one should be boundary-root
Azure Key Name: boundary-recovery  <--- this one should be boundary-worker
Azure Key Name: boundary-recovery
Azure Vault Name: keyvault-name
Azure Vault Name: keyvault-name
Azure Vault Name: keyvault-name
Cgo: disabled
Controller Public Cluster Addr: boundary.exampledomain.com:9201
Listener 1: tcp (addr: "0.0.0.0:9200", cors_allowed_headers: "[]", cors_allowed_origins: "[https://boundary.exampledomain.com serve://boundary]", cors_enabled: "true", max_request_duration: "1m30s", purpose: "api")
Listener 2: tcp (addr: "0.0.0.0:9201", max_request_duration: "1m30s", purpose: "cluster")
Listener 3: tcp (addr: "0.0.0.0:9203", max_request_duration: "1m30s", purpose: "ops")
Log Level: trace
Mlock: supported: true, enabled: false
Version: Boundary v0.14.3
Version Sha: de3a3c0c382a4a394ab0d3b349ae855d66463f9f

==> Boundary server started! Log data will stream in below:

Despite using 3 different keys for the root, worker-auth and recovery purposes, only the key name that appeared last in the configuration file will appear in the logs. This issue is not reproducible with AEAD KMS. Here is an abbreviated version of my configuration file:

# additional arguments set via env variables:
# AZURE_ENVIRONMENT, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZUREKEYVAULT_WRAPPER_VAULT_NAME
kms "azurekeyvault" {
  purpose  = "root"
  key_name = "boundary-root"
}

kms "azurekeyvault" {
  purpose  = "worker-auth"
  key_name = "boundary-worker"
}

kms "azurekeyvault" {
  purpose  = "recovery"
  key_name = "boundary-recovery"
}

When I change the order of the kms blocks in my configuration file, the key name displayed in the logs also changes accordingly.

To Reproduce

  1. Run a controller with multiple kms "azurekeyvault" blocks in its configuration
  2. After successful startup, the logs will display only the name of the key that was configured last

Expected behavior I'd like to see the correct key names in the controller logs. I think everything's running fine and this is only a small oversight, but the log output irritates me.

sym-stiller avatar Jan 16 '24 17:01 sym-stiller