diff --git a/nomad/vault.go b/nomad/vault.go index 2c58e7e59e4..7126b933820 100644 --- a/nomad/vault.go +++ b/nomad/vault.go @@ -880,11 +880,12 @@ func (v *vaultClient) validateRole(role string) error { // Read and parse the fields var data struct { - ExplicitMaxTtl int `mapstructure:"explicit_max_ttl"` - Orphan bool - Period int - TokenPeriod int `mapstructure:"token_period"` - Renewable bool + ExplicitMaxTtl int `mapstructure:"explicit_max_ttl"` + TokenExplicitMaxTtl int `mapstructure:"token_explicit_max_ttl"` + Orphan bool + Period int + TokenPeriod int `mapstructure:"token_period"` + Renewable bool } if err := mapstructure.WeakDecode(rsecret.Data, &data); err != nil { return fmt.Errorf("failed to parse Vault role's data block: %v", err) @@ -896,7 +897,7 @@ func (v *vaultClient) validateRole(role string) error { multierror.Append(&mErr, fmt.Errorf("Role must allow tokens to be renewed")) } - if data.ExplicitMaxTtl != 0 { + if data.ExplicitMaxTtl != 0 || data.TokenExplicitMaxTtl != 0 { multierror.Append(&mErr, fmt.Errorf("Role can not use an explicit max ttl. Token must be periodic.")) } diff --git a/nomad/vault_test.go b/nomad/vault_test.go index 1df1a95a352..94c0a0b27ac 100644 --- a/nomad/vault_test.go +++ b/nomad/vault_test.go @@ -295,10 +295,10 @@ func TestVaultClient_ValidateRole(t *testing.T) { "nomad-role-management": nomadRoleManagementPolicy, } data := map[string]interface{}{ - "allowed_policies": "default,root", - "orphan": true, - "renewable": true, - "explicit_max_ttl": 10, + "allowed_policies": "default,root", + "orphan": true, + "renewable": true, + "token_explicit_max_ttl": 10, } v.Config.Token = testVaultRoleAndToken(v, t, vaultPolicies, data, nil) @@ -328,6 +328,7 @@ func TestVaultClient_ValidateRole(t *testing.T) { }) require.Contains(t, connErr.Error(), "explicit max ttl") + require.Contains(t, connErr.Error(), "non-zero period") } // TestVaultClient_ValidateRole_Success asserts that a valid token role