-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault approle id is changed #17820
Comments
The only time a RoleID of an AppRole should ever change is if explicitly requested via the API for that purpose: https://developer.hashicorp.com/vault/api-docs/auth/approle#update-approle-role-id If the AppRole RoleID did change, a client using it would no longer be able to log in at all, so you would see problems before it ever got to trying to retrieve a value from your generic secrets engines. I wonder if you don't actually have a Vault cluster, but several Vault pods all of which are acting as their own separate Vaults? Please share more information including your Vault configuration file. |
Thank you Maxb for your comments. My vault cluster is a single instance. There is only one vault pod. Here is the configuration file.
|
Anyone else hit this issue? Any comments are appreciated. |
Hi Maxb, |
This is absolutely not safe at all with |
Do you mean the file storage backend isn't safe? Or it's not safe when a new vault pod is starting up before the old vault pod isn't stop? |
The second. It's only safe to use any storage backend with multiple Vault processes running simultaneously, if it's a storage backend that supports High Availability (and if it supports enabling/disabling High Availability via a configuration option, it needs to be turned on). The HA status of each storage backend is documented on its page under https://developer.hashicorp.com/vault/docs/configuration/storage https://developer.hashicorp.com/vault/docs/configuration/storage/filesystem says "No High Availability". Although, there was a major bug in the
|
Thank you very much for your very valuable information. |
Thanks for helping to get to the bottom of this @maxb. I'm going to close this as it doesn't appear to be a bug. |
I face a problem that vault approle id is changed somehow.
My application run vault in a k8s pod. In the vault server, I enable a number of secrets engine with given path including approle id.
And my sensitive information are saved under the path. It works perfectly for a few months. The clients can get the key values with path base/APPROLEID/KEYNAME. Last week, I update the vault version from 1.8.8 to 1.11.2 with a pod rolling update. Unfortunately, I notice that the approleId is updated. Consequently, The client can't get values with path base/NEWAPPROLEID/KEYNAME.
This is the second time I face this issue. Last time, I hit the issue without doing any vault update. It happens after a vault pod restart.
So I wonder why the approle Id could be changed? It looks more like a bug.
The text was updated successfully, but these errors were encountered: