Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic secrets are renewed all the time, rather than according to their lease duration #1019

Closed
preetapan opened this issue Oct 3, 2017 · 2 comments
Closed

Dynamic secrets are renewed all the time, rather than according to their lease duration #1019

preetapan opened this issue Oct 3, 2017 · 2 comments
Assignees
@preetapan

Comments

@preetapan
Copy link

Reproduced this on consul-template master using Vault's AWS secret backend with a lease period of 2 minutes and the following test template that read accesskeys and stored them in a file

production:{{with secret "aws/creds/deploy" }}
  lease_id: {{.Data.lease_id}}
  lease_duration: {{.Data.lease_duration}}
  lease_renewable: {{.Data.lease_renewable}}
  access_key: {{.Data.access_key}}
  secret_key: {{.Data.secret_key}}
{{end}}

This causes consul template to constantly calling vault to renew the secret instead of every ~30 seconds (because the code uses 1/3 the lease period as the renew interval).

I found the root cause, will have a PR for it shortly.

Found this when investigating hashicorp/nomad#3197
@preetapan preetapan self-assigned this Oct 3, 2017
preetapan pushed a commit that referenced this issue Oct 3, 2017
Remove unnecessary check against vault grace period in renewLease. Le…
912db7c 
…ases are renewed based on their TTL returned by the response, and this was causing all dynamic secrets to be renewed constantly. This fixes #1019
@preetapan preetapan mentioned this issue Oct 3, 2017
Closed
@cpuspellcaster
Copy link

I think I'm running into this issue. We have a dynamic MySQL secret backend setup at database/creds/wordpress_agent. Here's the relevant part of our Consul template:

{{ with secret "database/creds/wordpress_agent" }}
define('DB_USER', '{{ .Data.username }}');
define('DB_PASSWORD', '{{ .Data.password }}');
{{ end }}

And here's how we call consul-template in our container:

consul-template \
	-log-level info \
	-vault-token "$(cat ~/.vault-token)" \
	-template "/wp-config.php.ctmpl:/usr/src/wordpress/wp-config.php" \
	-exec php-fpm \
	-exec-reload-signal SIGUSR2

The template is rendered as expected, be still results in these log messages being output repeatedly and constantly:

[WARN] vault.read(database/creds/wordpress_agent): failed to renew: Error making API request.

URL: PUT http://vault.service.consul:8200/v1/sys/leases/renew
Code: 403. Errors:

* permission denied

The lease duration is set to 12h and it renewable:

~ # vault read database/creds/wordpress_agent
Key            	Value
---            	-----
lease_id       	database/creds/wordpress_agent/bd4a04ad-60b2-99b9-4ef8-754216522894
lease_duration 	12h0m0s
lease_renewable	true
password       	####
username       	####

We're using consul-template v0.19.3 and our Vault servers are running v0.8.0.

@sethvargo
Copy link
Contributor

#1021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@preetapan preetapan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove unnecessary check against vault grace period in renewLease. Le… hashicorp/consul-template
3 participants
@sethvargo @preetapan @cpuspellcaster