consul-template icon indicating copy to clipboard operation
consul-template copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Rendering PKI CRL

Open tmanninger opened this issue 2 years ago • 1 comments

See https://discuss.hashicorp.com/t/vault-agent-template-get-pki-crl/47672/2

When redering the CRL of a PKI ({{ with secret "pki-root/cert/crl" }}{{ .Data.certificate }}{{ end }}), consul-template throws the following error:

vault.read(pki-root/cert/crl): failed to check if pki-root/cert/crl is KVv2, assume not: Error making API request.#012#012URL: GET https://active.vault.service.consul:8200/v1/sys/internal/ui/mounts/pki-root/cert/crl#012Code: 403. Errors:#012#012* preflight capability check returned 403, please ensure client’s policies grant access to path “pki-root/cert/crl/”

Workaround to suppress this error message:

path "pki-root/a-nonexistent-path-so-that-sys-internal-ui-mounts-will-return-info-about-this-mount" {
  capabilities = ["list"]
}

Proposed solution: Add some option to force kv version: {{ with secret "pki-root/cert/crl" kv_version="1" }}{{ .Data.certificate }}{{ end }}

tmanninger avatar Dec 07 '22 06:12 tmanninger

I support this idea, also had headache because of this, but after all just added the permissions for sys/internal/ui/mounts/:path

crashev avatar Apr 28 '23 14:04 crashev