Unable to leverage `vault_aws_engine` with HashiCorp Vault Enterprise - No authentication
brlara-mt opened this issue · comments
Overview of the Issue
When attempting to use the vault_aws_engine
functionality, I continuously receive a 403 response from HashiCorp Vault. We are attempting to reduce secrets sprawl in our build environment while trying to deploy a different HashiCorp product on AWS. However, when we attempt to use the EC2 builder with EBS we are unable to get past the pre-flight validation check with credentials. It's important to note that we are using HashiCorp Vault Enterprise, and the secret we are attempting to receive resides in a namespace that is a multi-level child of the root namespace.
Reproduction Steps
Steps to reproduce this issue
- Create the following Packer HCL configuration and export the following environment variables:
Environment Variables
export VAULT_ADDR="https://my.vault.cluster:8200"
export VAULT_NAMESPACE="my/namespace"
export VAULT_TOKEN="validToken"
Packer Config
source "amazon-ebs" "basic-example" {
region = "us-gov-east-1"
instance_type = "t2.micro"
ssh_username = "rhel"
ami_name = "packer_AWS {{timestamp}}"
vault_aws_engine {
name = “myrole"
engine_name = “my/namespace/my/engine”
ttl = "3600s"
}
source_ami_filter {
filters = {
virtualization-type = "hvm"
name = "RHEL-8*-x86_64-*"
root-device-type = "ebs"
}
owners = ["309956199498"]
most_recent = true
}
vpc_id = <redacted>
subnet_id = <redacted>
}
build {
sources = [
"source.amazon-ebs.basic-example"
]
}
- Execute a
packer build
with the configuration file:
Output
packer build mybuild.pkr.hcl
Error: 1 error(s) occurred:
* Error reading vault secret: Error making API request.
URL: GET https://my.vault.cluster:8200/v1/my/namespace/my/engine/creds/myrole
Code: 403. Errors:
* 1 error occurred:
* permission denied
on mybuild.pkr.hcl line 8:
(source code not available)
Plugin and Packer version
From packer version
Packer v1.8.6
I've come across this function,GetCredsFromVault()
, which seems to ignore the VAULT_TOKEN
and VAULT_ADDR
environment variables in favor of using the DefaultConfig
struct from the Vault API library. Is this anticipated to resolve the Vault token for us?
See the following code block:
...
func (c *AccessConfig) GetCredsFromVault() error {
// const EnvVaultAddress = "VAULT_ADDR"
// const EnvVaultToken = "VAULT_TOKEN"
vaultConfig := vaultapi.DefaultConfig()
cli, err := vaultapi.NewClient(vaultConfig)
if err != nil {
return fmt.Errorf("Error getting Vault client: %s", err)
}
if c.VaultAWSEngine.EngineName == "" {
c.VaultAWSEngine.EngineName = "aws"
}
secret, err := c.getCredsFromVault(cli)
...