403 Forbidden to read the SSH public key from Vault

[dzintars]

Basically by some reason cloud-init is not able to read the key which it is supposed to be able to do.
curl https://vault.oswee.com/v1/ssh-client-signer/public_key returns just an HAproxy's Forbidden HTML error page.
Not sure how curl handles https requests.

5c3527c

[dzintars]

In general i should not request the public key.
Instead i should use app roles

[dzintars]

Turns out it's the issue of my curling.
FF devtools#networking provides option to Copy as cURL which lead me to this simple requests:

curl 'https://vault.oswee.com/ui/vault/auth?with=token' -H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'TE: Trailers'

This requests works just fine for me now inside of VM and i need to figure out which flags are mandatory.

[dzintars]

OK. In my case the User-Agent is the required flag.

[dzintars]

This is the minimal valid request, but the user agent is wrong.

curl 'https://vault.oswee.com/v1/ssh-client-signer/public_key' -H 'User-Agent: Mozilla/5.0' -H 'Upgrade-Insecure-Requests: 1'

[dzintars]

infra/ansible/roles/haproxy/templates/haproxy.workstation.cfg.j2

Line 127 in dfd4728

http-request deny if { req.hdr(user-agent) -i -m sub curl phantomjs slimerjs }

Curl was blocked. :)