Caiyeon/goldfish

Bug: getting 403 on policy change approve

VAdamec opened this issue · 5 comments

Bug report:

Vault version:
0.9.5

Goldfish version:
0.9.0

Operating system:
OL7

Steps to reproduce:
just follow https://github.com/Caiyeon/goldfish/wiki/Production-Deployment

Expected behaviour:
policy will be approved

Actual behaviour:
getting 403

Temp fix

Update cap for goldfish policy to have access to sys/wrapping/wrap helps for approvals (no idea if it's correct/safe approach) but last approval get 403 for writing so still missing some piece.

Vault audit log:

... "approle","policies":["default","goldfish"], "path":"sys/wrapping/wrap", "error":"permission denied", ...

Changed policy

  • goldfish/vagrant/policies/goldfish.hcl
# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
  capabilities = ["read", "update"]
}


# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
  capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/wrap" {
  capabilities = ["read", "update"]
}

Goldfish needs the default policy, which includes wrapping and unwrapping. This is by design, and not a bug. The default policy is in the deployment steps in the wiki.

Well as I said, I follow production deployment, so policicies were created, but it doesn't contain any sys/wrapping section. See https://github.com/Caiyeon/goldfish/tree/master/vagrant/policies

goldfish/vagrant/policies/goldfish.hcl

# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
  capabilities = ["read", "update"]
}


# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
  capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/wrap" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/unwrap" {
  capabilities = ["read", "update"]
}

@VAdamec See Step 1 here https://github.com/Caiyeon/goldfish/wiki/Production-Deployment

Specifically

vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0

Here is more info on the default policy.
To view the default policy you can run the command

vault policy read default

You right, my default policy was waaay different than should be (migrated from older versions of Vault). So only thing which doesn't work is transit encryption. I'll do another ticket, thanks