Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HashiCorp VaultSecretProvider Reauthentication and Max Token TTL #40

Open
danielhass opened this issue Sep 7, 2022 · 2 comments
Open

HashiCorp VaultSecretProvider Reauthentication and Max Token TTL #40

danielhass opened this issue Sep 7, 2022 · 2 comments
Labels
vault

Comments

@danielhass
Copy link

Dear Maintainers,

I'm currently running into an issue with the VaultSecretProvider that from my current understanding is subject to a design flaw.

We are using the AppRole authentication method that allows the Vault client to generate a token with a max TTL of 60m. After the Kafka Connect startup the VaultSecretProvider works fine for 60 minutes and afterwards starts to throw the following error:

WARN Failed to renew the Kerberos ticket (io.lenses.connect.secrets.async.AsyncFunctionLoop:43)
   com.bettercloud.vault.VaultException: Vault responded with HTTP status code: 403
   Response body: {"errors":["permission denied"]}

From my understanding this is caused by the AsyncFunctionLoop that tries to renew the Vault token on a fixed period (default 60000ms). Due to the fact that our current AppRole is setup to generate non periodic tokens (which is the default), these tokens are not renewable indefinitely.

Docs Ref HashiCorp: https://www.vaultproject.io/docs/concepts/tokens#periodic-tokens

For me the current VaultSecretProvider looks like it only supports the usage of periodic tokens (which are kind a special in the Vault universe). Standard service tokens that are subject to a max TTL should all run into the same problem sooner or later.

We have several Vault Agents running in our infrastructure which I would consider somethign like a "reference implementation" for automatic daemon-like token renewals. These agents renew the service tokens until there max TTL is reached and issue a reauthentication afterwards to acquire a fresh token. This however doesn't seem to be possible with the VaultSecretProvider provider as it only authentications once on the providers configure() call.

I would like to get some insights from other users and/or the maintainers on this problem and how they handle it. I would like to make sure that I'm not missing something here.
@usopp
Copy link

usopp commented Nov 7, 2023

Same problem here. We use approle auth and running in the same error.

@mcl085
Copy link

mcl085 commented Jan 24, 2024
edited
Loading

Hi, I have the same problem here. I'm using Kubernetes role implementation.

Does anybody have some insights about that?

[2024-01-23 18:02:48,461] WARN Failed to run function Vault Token Renewal (io.lenses.connect.secrets.async.AsyncFunctionLoop:44)
io.github.jopenlibs.vault.VaultException: Vault responded with HTTP status code: 403
Response body: {"errors":["permission denied"]}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danielhass @usopp @mcl085 @davidsloan