salt: Salt-master doesn't renew vault token

Description of Issue/Question

Vault allows for an issued token to be renewed while it is still active. When the salt-master is configured to use token auth, it does not attempt to renew the token, instead, it lets it expire and then fail.

This seems like poor behavior, especially since the other auth method approle appears to validate if it’s expired and request a new token. (older versions of salt do not support approle).

It would be beneficial if the salt-master monitored the remaining time to live of it’s configured token and renew’d it.

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

/etc/salt/master.d/vault.conf
vault:
  url: http://avault.server:8200
  auth:
    method: token
    token: randomjunkhere

Steps to Reproduce Issue

Provision a token with the appropriate polices, wait until the ttl expires, be unable to access vault.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

salt --versions-report
Salt Version:
           Salt: 2017.7.8

Dependency Versions:
           cffi: 1.5.2
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.10
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: 0.24.0
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.24.0
         Python: 2.7.12 (default, Nov 12 2018, 14:36:49)
   python-gnupg: 0.3.8
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 2.0.3
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
         locale: UTF-8
        machine: x86_64
        release: 4.4.0-1075-aws
         system: Linux
        version: Ubuntu 16.04 xenial

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (6 by maintainers)

Most upvoted comments

@ptitdoc Thanks. How did you set up that policy and approle in vault to get salt to be happy with it ?

I’ve copied yours to test and salt is reporting “Bad: Request” with no other debug I can find atm.

+1
JeremyHutchings on Jun 30, 2021

I’s currently working, I only need to reset the secret-id every month because of the TTL using vault write -f auth/approle/role/saltmaster/secret-id

https://github.com/hashicorp/vault/issues/5445

So there is two ways around:

1/ Change the secret_id_ttl by providing a ttl in seconds but it is buggy. If you exceed 999999 seconds, it will just show 768h of ttl when writing a new secret-id: vault write auth/approle/role/saltmaster secret_id_ttl=999999 vault write -f auth/approle/role/saltmaster/secret-id

2/ Set the secret_id_ttl to zero to disable completely ttl: vault write auth/approle/role/saltmaster secret_id_ttl=0 vault write -f auth/approle/role/saltmaster/secret-id

+1
ptitdoc on Jun 30, 2021

Thank you for updating this issue. It is no longer marked as stale.

+1
stale[bot] on Feb 4, 2020

thanks for the input i really appreciate it 😃

+1
Ch3LL on Mar 12, 2019
Read more comments on GitHub
← salt: salt-master crashes every few days
salt: salt-master errors in syslog →