Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vault does not allow changing approle token_num_use=1 to batch token in a single request #11570

Closed
juliantaylor opened this issue May 10, 2021 · 0 comments · Fixed by #11647
Closed
Assignees
Labels
bug Used to indicate a potential bug

Comments

@juliantaylor
Copy link

Describe the bug
When you have an approle with default token type and token_num_uses>0 and you want to change it to a batch token (which implies token_num_uses=0) the update fails when done in a single requset

To Reproduce

$ vault write auth/approle/role/rolename bind_secret_id=false secret_id_bound_cidrs=10.90.28.0/22 secret_id_num_uses=0 secret_id_ttl=10m token_policies=policy token_ttl=5m token_max_ttl=10m token_num_uses=2 token_type=default
Success! Data written to: auth/approle/role/rolename
$ vault write auth/approle/role/rolename bind_secret_id=false secret_id_bound_cidrs=10.90.28.0/22 secret_id_num_uses=0 secret_id_ttl=10m token_policies=policy token_ttl=5m token_max_ttl=10m token_num_uses=0 token_type=batch
Code: 400. Errors:

* 'token_type' cannot be 'batch' or 'default_batch' when set to generate tokens with limited use count

The workaround is to update the approle first to token_num_uses=0 and default token_type and then change the token type (or delete and recreate which cycles the roleid)

Expected behavior
The change can be done in one call instead of two.

Environment:

  • Vault Server Version: 1.6.3
  • Vault CLI Version: 1.6.3
  • Server Operating System/Architecture: debian buster
@vishalnayak vishalnayak added the bug Used to indicate a potential bug label May 18, 2021
@vishalnayak vishalnayak self-assigned this May 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants