docker 在Vault代理和Vault服务器之间成功集成应用程序角色后权限被拒绝

sgtfey8w  于 2022-11-22  发布在  Docker
关注(0)|答案(2)|浏览(134)

我使用docker-compose来提供2个服务:vault-agent和vault服务器都使用hashicorp/vault:latest docker映像在本地计算机上进行开发。我在开发模式下运行vault服务器:vault server -dev。我以vault agent -log-level debug -config=/helpers/vault-agent.hcl的形式运行vaul-agent,而vault-agent.hcl为:

pid_file = "./pidfile"

vault {
  address = "https://vault_dev:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method {
    type = "approle"

    config = {
      role_id_file_path = "/helpers/role_id"
      secret_id_file_path = "/helpers/secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/helpers/sink_file"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}

我在vault-agent和vaul服务器之间使用approle身份验证,因此运行了以下命令:

vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"

admin-policy.hcl是:

# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `kv/` path

# List, create, update, and delete key/value secrets
path "kv/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage Entities and Entity alias
path "identity/entity-alias"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "identity/entity/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

但是,当我从vault-agent容器内部运行vault kv put secret/hello foo=bar时,出现以下错误:

Error making API request.

URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:

* permission denied

如果我运行export VAULT_TOKEN=root,然后运行vault kv put secret/hello foo=bar,它就可以工作了。所以我猜vault-agent和vault服务器之间的通信可以工作了,我也没有看到vault-agent容器中记录的任何错误(只有INFO消息),但我仍然需要一个令牌来对vault-agent执行操作,即使vault-agent的全部作用是将身份验证委托给代理。我遗漏了什么?

jhdbpxl9

jhdbpxl91#

此时,您已启用AppRole验证,并为具有绑定到策略的角色的验证创建了AppRole路径。现在,您需要:

vault read auth/approle/role/dev-role/role-id

来检索role_id

vault write -f auth/approle/role/dev-role/secret-id

以推送模式检索secret_id,然后

vault write auth/approle/login role_id=<role id> secret_id=<secret id>

检索用于身份验证的令牌。然后,您可以将该令牌用于vault login,或将其设置为VAULT_TOKEN作为环境变量。

xbp102n0

xbp102n02#

当我尝试在Web UI中运行vault secrets enable -version=2 kv这样的命令时,它告诉我有效的命令只有read、write、delete和list

相关问题