I am facing issue login to openshift approle created using kubernetes auth method for vault authentication.
This could be similar or same issue in the below URL, #49
I have vault running in minishift, exactly following this url, https://medium.com/hashicorp-engineering/vault-kubernetes-auth-method-for-openshift-9b9155590a6d?
In the openshift side, executed the below commands.
Create OC project and token reviewer JWT:
oc login -u system:admin
oc new-project vault-demo
oc projects
oc create sa vault-auth
Create Cluster role binding for vault-auth
oc adm policy add-cluster-role-to-user
system:auth-delegator system:serviceaccount:vault-demo:vault-auth
oc serviceaccounts get-token vault-auth > reviewer_sa_jwt.txt
Lets create two more serviceaccounts for applications
oc create sa app1
oc create sa app2
my vault addr is like below.
~/github/hashitvault$ echo $VAULT_ADDR
http://vault-myproject.192.168.42.186.nip.io
I am seeing the below error when login to "$VAULT_ADDR/v1/auth/ocp/login"
desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login"
{"errors":["service account name not authorized"]}
below are the vault commands executed as part of this exercise
desktop-e470:~/hashitvault$ vault policy write app1-policy app1-policy.hcl
Success! Uploaded policy: app1-policy
desktop-e470:~/hashitvault$ cat app1-policy.hcl
path "secret/app1" {
capabilities = ["read", "list"]
}
path "database/creds/app1" {
capabilities = ["read", "list"]
}
desktop-e470:~/hashitvault$ vault policy read app1-policy
path "secret/app1" {
capabilities = ["read", "list"]
}
path "database/creds/app1" {
capabilities = ["read", "list"]
}
desktop-e470:~/hashitvault$ vault kv put secret/app1 username=app1 password=supasecr3t
Key Value
created_time 2019-12-19T16:23:58.402322163Z
deletion_time n/a
destroyed false
version 1
desktop-e470:~/hashitvault$ vault write "auth/ocp/config" \
token_reviewer_jwt="${reviewer_jwt}"
kubernetes_host="http://192.168.42.186:8443"
kubernetes_ca_cert=@/home/apurb/.minishift/ca.pem
Success! Data written to: auth/ocp/config
desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" \
bound_service_account_names="default,app1"
bound_service_account_namespaces="vault-demo"
policies="app1-policy" ttl=1h
Success! Data written to: auth/ocp/role/app1-role
desktop-e470:~/hashitvault$ reviewer_jwt="$(cat reviewer_sa_jwt.txt)"
desktop-e470:~/hashitvault$ vault write "auth/ocp/config" token_reviewer_jwt="${reviewer_jwt}" kubernetes_host="http://192.168.42.186:8443" kubernetes_ca_cert=@/home/apurb/.minishift/ca.pem
Success! Data written to: auth/ocp/config
desktop-e470:~/hashitvault$ vault write "auth/ocp/role/app1-role" bound_service_account_names="default,app1" bound_service_account_namespaces="vault-demo" policies="app1-policy" ttl=1h
Success! Data written to: auth/ocp/role/app1-role
desktop-e470:~/hashitvault$ curl -H "X-Vault-Token: s.hswgw3TIjDCTNmxbUSfT5hbP" \
"${VAULT_ADDR}/v1/secret/data/app1"
{"request_id":"06846c6f-7405-19f0-971b-f4715ae7b180","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"password":"supasecr3t","username":"app1"},"metadata":{"created_time":"2019-12-19T16:23:58.402322163Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
cat payload.json
{ "role":"app1-role", "jwt":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1kZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LWF1dGgtdG9rZW4taHd4NjciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtYXV0aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjFjNDIxNWQyLTIyN2MtMTFlYS05YjZmLTUyNTQwMDk4YWMzOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp2YXVsdC1kZW1vOnZhdWx0LWF1dGgifQ.XzvbWRi2DUKnNzYoZYyJfKqHgQdxv8jg_75nHhmqTHAiYuz4-ABaqJokUTlrQGwsvw41V4rqEmc0CVF3MK_jgyUZzmpGnCNMySkRyYQw9TChhHUmOQDH9AKj6OOFcmAV811sQu9-qvVav4QlJPIW4cm6dHe-XHSNxuzqJ7OWScezqVDYaiWXBkcFpzEEisV6puXA7o5Npg-so2u0lW9bGEe9UP363ZyR3AYZ_rlZoRB-Gq7exGlN2TII0xUZDaBwbf9vDE_i3Zs_HFdNSBGsVFsG3-Xlw_iUTPTGTehDkSX7koYTT8GzjS9KR94TMVZdPLGH6txF4QfaRnWAvKgvOg" }
desktop-e470:~/hashitvault$ curl --request POST --data @payload.json "${VAULT_ADDR}/v1/auth/ocp/login"
{"errors":["service account name not authorized"]}