You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README suggests that it should be possible to use the vault CLI from within the third instance to write a key/value pair:
$ docker exec -it vault_vault_3 vault write secret/hello value=worldSuccess! Data written to: secret/hello
However, running that command on the third instance as suggested (or even the second instance) gives this error:
Error writing data to secret/hello: Error making API request.URL: PUT https://127.0.0.1:8200/v1/secret/helloCode: 400. Errors:* missing client token
However, the request does succeed when run on the first instance (ignoring the lack of a handler for this particular path):
Error writing data to secret/hello: Error making API request.URL: PUT https://127.0.0.1:8200/v1/secret/helloCode: 404. Errors:* no handler for route 'secret/hello'
This is because the third and second instance do not contain /root/.vault-token, most likely because this line in the setup script only operates on the first instance:
I believe the vault auth command generates that token.
Unlike the HTTP API which I believe forwards requests made to standby nodes to the active primary node, I'm guessing the vault CLI does not do any such forwarding.
Since I don't know much about how vault works in practice, it leaves me wondering if all instances should be authed, or if the first instances token should be deleted after initialization?
I'm not sure if deleting the token from the first instance would break functionality for app code trying to interact with vault via the HTTP API or if not authing the standby instances means vault will cease to work if/when the primary instance goes down.
Any clarification on this would be greatly appreciated, so I can avoid trial by fire.
The text was updated successfully, but these errors were encountered:
The README suggests that it should be possible to use the vault CLI from within the third instance to write a key/value pair:
However, running that command on the third instance as suggested (or even the second instance) gives this error:
However, the request does succeed when run on the first instance (ignoring the lack of a handler for this particular path):
This is because the third and second instance do not contain
/root/.vault-token
, most likely because this line in the setup script only operates on the first instance:vault/setup.sh
Line 296 in 20765c8
I believe the
vault auth
command generates that token.Unlike the HTTP API which I believe forwards requests made to standby nodes to the active primary node, I'm guessing the vault CLI does not do any such forwarding.
Since I don't know much about how vault works in practice, it leaves me wondering if all instances should be authed, or if the first instances token should be deleted after initialization?
I'm not sure if deleting the token from the first instance would break functionality for app code trying to interact with vault via the HTTP API or if not authing the standby instances means vault will cease to work if/when the primary instance goes down.
Any clarification on this would be greatly appreciated, so I can avoid trial by fire.
The text was updated successfully, but these errors were encountered: