envconsul "vault_agent_token_file" should support wrapped format from vault agent

[nicklhw]

Envconsul version

v0.12.1

Configuration

vault-agent.hcl

vault {
  address = "https://127.0.0.1:8200"
  ca_cert = "../vault-certs/vault-ca.crt.pem"
}

auto_auth {
  method {
    type     = "approle"
    wrap_ttl = "5m"
    config   = {
      role_id_file_path = "../tf-config/role_id"
      secret_id_file_path = "../tf-config/secret_id"
      remove_secret_id_file_after_reading = false
    }
  }
  sink "file" {
    config = {
      path = "vault-token-via-agent.json"
    }
  }
}

cache {
  use_auto_auth_token = false
}

listener "tcp" {
  address     = "127.0.0.1:8100"
  tls_disable = true
}

envconsul.hcl

upcase = true
log_level = "debug"
vault {
  address      = "https://127.0.0.1:8200"
  vault_agent_token_file = "./vault-token-via-agent.json"
  unwrap_token = true
  renew_token  = false
  ssl {
    enabled = true
    ca_cert = "./vault-ca.crt.pem"
  }
}

Command

vault agent -exit-after-auth -config=agent.hcl && envconsul -config="../envconsul/config.hcl" -secret="kv-v2/my-secret" ../envconsul/app.sh

Debug output

==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

           Api Address 1: http://127.0.0.1:8100
                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.8.4
             Version Sha: 925bc650ad1d997e84fbb832f302a6bfe0105bbb

2022-03-02T09:49:09.302-0500 [INFO]  sink.file: creating file sink
2022-03-02T09:49:09.303-0500 [INFO]  sink.file: file sink configured: path=vault-token-via-agent.json mode=-rw-r-----
2022-03-02T09:49:09.303-0500 [INFO]  sink.server: starting sink server
2022-03-02T09:49:09.303-0500 [INFO]  template.server: starting template server
2022-03-02T09:49:09.303-0500 [INFO]  template.server: no templates found
2022-03-02T09:49:09.303-0500 [INFO]  auth.handler: starting auth handler
2022-03-02T09:49:09.304-0500 [INFO]  auth.handler: authenticating
2022-03-02T09:49:09.325-0500 [INFO]  auth.handler: authentication successful, sending wrapped token to sinks and pausing
2022-03-02T09:49:09.325-0500 [INFO]  sink.file: token written: path=vault-token-via-agent.json
2022-03-02T09:49:09.325-0500 [INFO]  sink.server: sink server stopped
2022-03-02T09:49:09.325-0500 [INFO]  sinks finished, exiting
2022-03-02T09:49:09.325-0500 [INFO]  template.server: template server stopped
2022-03-02T09:49:09.325-0500 [INFO]  auth.handler: shutdown triggered
2022-03-02T09:49:09.325-0500 [INFO]  auth.handler: auth handler stopped
2022-03-02T09:49:09.341-0500 [INFO]  v0.12.1 ()
2022-03-02T09:49:09.341-0500 [INFO] (runner) creating new runner (once: false)
2022-03-02T09:49:09.341-0500 [DEBUG] (runner) final config: {"Consul":{"Address":"","Namespace":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":13,"TLSHandshakeTimeout":10000000000}},"Exec":{"Command":"../envconsul/app.sh","Enabled":true,"Env":{"Denylist":[],"Custom":[],"Pristine":false,"Allowlist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":0},"KillSignal":2,"LogLevel":"debug","MaxStale":2000000000,"PidFile":"","Prefixes":[],"Pristine":false,"ReloadSignal":1,"Sanitize":false,"Secrets":[{"Format":"","NoPrefix":null,"Path":"kv-v2/my-secret","Keys":null}],"Services":[],"Syslog":{"Enabled":false,"Facility":"LOCAL0","Name":"consul-template"},"Upcase":true,"Vault":{"Address":"https://127.0.0.1:8200","Enabled":true,"Namespace":"","RenewToken":false,"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"/Users/nicholaswong/Projects/sandbox/vault/vault-vagrant-agent-sandbox/tf-config/vault-certs/vault-ca.crt.pem","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":13,"TLSHandshakeTimeout":10000000000},"UnwrapToken":true,"DefaultLeaseDuration":300000000000},"Wait":{"Enabled":false,"Min":0,"Max":0}}
2022-03-02T09:49:12.862-0500 [ERR] (cli) runner: runner: client set: vault unwrap: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/wrapping/unwrap
Code: 500. Errors:

* error validating wrapping token: wrapping token could not be parsed: square/go-jose: missing payload in JWS message

Expected behavior

envconsul should recognize the json format of the vault agent's sink file when using wrap_ttl and extract the token field and then proceed as usual.

Actual behavior

envconsul slurps the entire contents of the sink file and sends it to the unwrap endpoint as a wrapping token.

Steps to reproduce

configure vault agent to login via auto-auth and write to a file sink with wrap_ttl set
configure envconsul with vault_agent_token_file set to the same file along
observe that envconsul cannot unwrap the token

References

This issue is similar to an open issue for consul-template
hashicorp/consul-template#1498

[eikenb]

Thanks for reporting this @nicklhw!

Fixing that consul-template issue should fix this issue as well (once dependencies are updated). I plan on working on it soon and will update this on my next pass.

If you see that CT bug fixed and want to ping me about this, please do. I rotate working through the projects I maintain and will get to this when envconsul reaches the top of the queue. But.. I could get the fix in master before that if reminded.

[eikenb]

I didn't have time to get that consul-template bug fixed the last time I had time to work on it. Sorry to say this will have to wait for the release after 0.13.0 as I need to fix it in consul-template first. I've added the consul-template issue to the next milestone to be sure it is included in that work.

Sorry for the delay.

[sgriff44]

Hi @eikenb, any update on this issue?

I'm running into this exact same issue and am using envconsul version 0.13.0.

Thank you!

[eikenb]

I've got a possible fix done in the consul-template code that I'll be able to update the dependency to if it works. If anyone here can verify that PR works it'd be a great help as I haven't been able to reproduce it yet.

[eikenb]

Finally finished the consul-template work on this and am now testing that fix works for envconsul as well. If all goes well we should have a release with this fixed next week.

hashicorp/consul-template#1645