Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing client token on second and third instances #5

Open
leoj3n opened this issue May 29, 2019 · 0 comments
Open

Missing client token on second and third instances #5

leoj3n opened this issue May 29, 2019 · 0 comments

Comments

@leoj3n
Copy link

leoj3n commented May 29, 2019

The README suggests that it should be possible to use the vault CLI from within the third instance to write a key/value pair:

$ docker exec -it vault_vault_3 vault write secret/hello value=world
Success! Data written to: secret/hello

However, running that command on the third instance as suggested (or even the second instance) gives this error:

Error writing data to secret/hello: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/secret/hello
Code: 400. Errors:

* missing client token

However, the request does succeed when run on the first instance (ignoring the lack of a handler for this particular path):

Error writing data to secret/hello: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/secret/hello
Code: 404. Errors:

* no handler for route 'secret/hello'

This is because the third and second instance do not contain /root/.vault-token, most likely because this line in the setup script only operates on the first instance:

vault/setup.sh

Line 296 in 20765c8

docker exec -it ${vault}_1 vault auth -address='https://127.0.0.1:8200'

I believe the vault auth command generates that token.

Unlike the HTTP API which I believe forwards requests made to standby nodes to the active primary node, I'm guessing the vault CLI does not do any such forwarding.

Since I don't know much about how vault works in practice, it leaves me wondering if all instances should be authed, or if the first instances token should be deleted after initialization?

I'm not sure if deleting the token from the first instance would break functionality for app code trying to interact with vault via the HTTP API or if not authing the standby instances means vault will cease to work if/when the primary instance goes down.

Any clarification on this would be greatly appreciated, so I can avoid trial by fire.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant