Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid token when use approle authentication #342

Open
henryx opened this issue Nov 27, 2024 · 0 comments
Open

Invalid token when use approle authentication #342

henryx opened this issue Nov 27, 2024 · 0 comments

Comments

@henryx
Copy link

henryx commented Nov 27, 2024

According to the documentation, I've created an approle with these commands:

cat <<EOF | vault policy write a_policy -
path "a_mount/a_kv" { capabilities = ["read"]}
EOF

vault auth enable approle
vault write auth/approle/role/a_role token_policies="a_policy" \
    token_ttl=1h token_max_ttl=4h

vault secrets enable -path=a_mount -version=1 kv
vault kv put --mount=a_mount a_kv mongo_pass=test

export ROLE_ID=$(vault read -format=json auth/approle/role/a_role/role-id | jq -r '.data.role_id')
export SECRET_ID=$(vault write -format=json -force auth/approle/role/a_role/secret-id | jq -r '.data.secret_id')

export VAULT_TOKEN=$(vault write -format=json auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID | jq -r '.auth.client_token')

vault kv get --mount=a_mount a_kv
======= Data =======
Key           Value
---           -----
mongo_pass    test

In my Quarkus application, I've used this configuration:

quarkus.mongodb.connection-string=mongodb://admin:${mongo_pass}@localhost:27017
quarkus.mongodb.database=testDB
quarkus.vault.url=http://localhost:8200
quarkus.vault.authentication.app-role.role-id=<a_role>
quarkus.vault.authentication.app-role.secret-id=<a_secret>
quarkus.mongodb.credentials.credentials-provider=a_provider
quarkus.vault.kv-secret-engine-mount-path=a_mount
quarkus.vault.credentials-provider.a_provider.kv-path=a_kv
quarkus.vault.credentials-provider.a_provider.kv-key=mongo_pass
quarkus.vault.kv-secret-engine-version=1

But when I start the application, I get this error:

java.lang.RuntimeException: java.lang.RuntimeException: Failed to start quarkus

	at io.quarkus.test.junit.QuarkusTestExtension.throwBootFailureException(QuarkusTestExtension.java:627)
	at io.quarkus.test.junit.QuarkusTestExtension.interceptTestClassConstructor(QuarkusTestExtension.java:711)
	at java.base/java.util.Optional.orElseGet(Optional.java:364)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
Caused by: java.lang.RuntimeException: Failed to start quarkus
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at io.quarkus.runner.bootstrap.StartupActionImpl.run(StartupActionImpl.java:305)
	at io.quarkus.test.junit.QuarkusTestExtension.doJavaStart(QuarkusTestExtension.java:241)
	at io.quarkus.test.junit.QuarkusTestExtension.ensureStarted(QuarkusTestExtension.java:594)
	at io.quarkus.test.junit.QuarkusTestExtension.beforeAll(QuarkusTestExtension.java:644)
	... 1 more
Caused by: jakarta.enterprise.inject.CreationException: Error creating synthetic bean [h1_G0-d2ADp3y2Tmh2-WKjUlre0]: VaultClientException{operationName='VAULT [SECRETS (kv1)] Read', requestPath='http://localhost:8200/v1/a_mount/a_kv', status=403, errors=[2 errors occurred:
	* permission denied
	* invalid token

]}
	at com.mongodb.client.MongoClient_h1_G0-d2ADp3y2Tmh2-WKjUlre0_Synthetic_Bean.doCreate(Unknown Source)
[...]

What I missing? Quarkus-vault is 4.1.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@henryx