Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-configuring role fails after upgrading existing deployment to Vault 1.9.x #133

Closed
tsaarni opened this issue Feb 2, 2022 · 4 comments · Fixed by #135
Closed

Re-configuring role fails after upgrading existing deployment to Vault 1.9.x #133

tsaarni opened this issue Feb 2, 2022 · 4 comments · Fixed by #135

Comments

@tsaarni
Copy link
Contributor

tsaarni commented Feb 2, 2022

New attribute alias_name_source was added to the "Create Role" request by following change in Vault 1.9.0

auth/kubernetes: Add ability to configure entity alias names based on the serviceaccount's namespace and name. #110 #112 [GH-12633]

Problem Description

Assume we had Role configured prior Vault 1.9.0. Obviously the existing Roles do not have this new attribute stored in the configuration. When sending "Read Role" request for such Role with the missing attribute, the output will look like

{
    "auth": null,
    "data": {
        "alias_name_source": "",
        "bound_service_account_names": [
            "*"
        ],
        "bound_service_account_namespaces": [
            "default"
        ],
        "policies": [
            "my-policy"
        ],
        "token_bound_cidrs": [],
        "token_explicit_max_ttl": 0,
        "token_max_ttl": 0,
        "token_no_default_policy": false,
        "token_num_uses": 0,
        "token_period": 0,
        "token_policies": [
            "my-policy"
        ],
        "token_ttl": 0,
        "token_type": "default"
    },
    "lease_duration": 0,
    "lease_id": "",
    "renewable": false,
    "request_id": "c09d75a5-ceb5-1989-63cb-0e451f9e3820",
    "warnings": null,
    "wrap_info": null
}

Note that alias_name_source has value "" and not the default value serviceaccount_uid.

Note also that "" is not a valid choise. Valid choices are: serviceaccount_uid, serviceaccount_name.

This can cause problems when one attempts to apply a change to existing Role by copying the data from "Read Role" response, and using it as input for "Create Role" request. It contains invalid parameter "alias_name_source": "" which will fail with HTTP/1.1 400 Bad Request

{
    "errors": [
        "invalid alias_name_source, must be one of: serviceaccount_uid, serviceaccount_name"
    ]
}

Expected behavior

One of the following alternatives:

  1. Return "alias_name_source": "serviceaccount_uid".
  2. Do not return alias_name_source attiribute in "Read Role" response.

Maybe (1) is better, since that is aligned how Role would get stored now if creating Role from scratch on Vault 1.9+, without specifying the attribute in Create Role.
@tsaarni
Copy link
Contributor Author

tsaarni commented Feb 2, 2022

Cc @benashz

@tsaarni tsaarni mentioned this issue Feb 3, 2022
Closed
@benashz
Copy link
Contributor

benashz commented Feb 3, 2022

Hi @tsaarni , sorry to hear that you ran into this issue. A quick work around would be to omit data.alias_name_source from your input. The subsequent read will have data.alias_name_source set to the default.

@benashz benashz mentioned this issue Feb 4, 2022
Merged
@kalafut
Copy link
Contributor

kalafut commented Feb 24, 2022

Backported to 1.9.x as part of #133

@benashz
Copy link
Contributor

benashz commented Feb 25, 2022

Backported to vault with hashicorp/vault#14267 . This issue should be resolved in vault-1.9.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@tsaarni @kalafut @benashz