Hi
I installed maas long back. The version we used is 3.2.6.
Now when I try to access maas its giving errors. I have attached the screenshots of output of “maas status” and “maas config”. I notice that db information is not present in “maas config”
Can someone please help me figure out what the issue is?
Thanks in advance.
looks like you configured vault to keep your secrets. Make sure you have access to vault
Hi
Thanks a lot for the reply. Yes we upgraded to 3.3 and integrated with vault.
I have approle id and secret id in regiond.conf file.
Even then I am facing this error.
Vault on its own is also fine.
Anything else that needs to be checked?
The exception is “Forbidden - permission denied” so I would check that the credentials for vault are correct
Can you use these credentials with vault CLI and they work?
Hi
Thanks a lot for the reply.
When I try to login to vault using approle method using the credentials maas has, this is the output I am getting:
{“errors”:[“permission denied”]}
Output of vault status is:
Vault login is giving this error:
Error authenticating: error looking up token: Error making API request.
URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:
* permission denied
I exported vault address and vault token. Anything else must be done?
Hello @mounika-alavala ,
It seems that your approle secret has been expired. Do you have a way to login to Vault and confirm that? Supposing you know the role id and secret id you can achieve that by using secret-id lookup: https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-secret-id
If this is the case you have to generate a new secret ID: https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id
NOTE: To access those URIs you need to login to Vault with roles that allow performing requests on them.
Hi @skatsaounis
Thanks for the reply.
I have used the secret id-lookup.
This is the ouput:
{"errors":["permission denied"]}
When I try to login to vault I will be using root token with no expiry right? I shouldn’t face any error while logging in to vault right?
Below is the output I got when login was successful. But now I am getting permission denied error. I am using the same token.
vault login <<token>>
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token <<token>>
token_accessor DPOC6KAbQcShhYprdykWuBFX
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
Hmm, let’s go one step back. You need to set a VAULT_TOKEN first before trying to run the lookup command. The VAULT_TOKEN needs to be a token that can perform the lookup action. What is your role on this Vault? Are you an admin? if so, you can generate a token by performing login with your account first. Afterwards, with this token you can perform the queries I sent you.
PS. If you haven’t disabled root token yet you can use it. It is considered a good practice to have it disabled (https://developer.hashicorp.com/vault/docs/concepts/tokens#root-tokens) but this is another topic of discussion. If you still have it, use this to save some time.
Can you also try to list the app roles? Let’s confirm that the approle still exists.
- List the roles to find the role
name: https://developer.hashicorp.com/vault/api-docs/auth/approle#list-roles - Read app role id of role
name: https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id - List secret ID accessors to find the list of those you have generated: https://developer.hashicorp.com/vault/api-docs/auth/approle#list-secret-id-accessors
- Assuming the accessor that is related to user secret-id is
84896a0c-1347-aa90-a4f6-aca8b7558780, get itsexpiration_time: https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-secret-id-accessor
This is the path to troubleshoot the expiration time.
I have the root token and I haven’t disabled it yet. But when I use it in “vault login” command, it says permission denied.
Except for vault status every vault cli command is giving permission denied.
This is the documentation we followed to integrate maas with vault : How to use Vault to protect your MAAS secrets
Policy file:
path "secret/metadata/maas/" {
capabilities = ["list"]
}
path "secret/metadata/maas/*" {
capabilities = ["read", "update", "delete", "list"]
}
path "secret/data/maas/*" {
capabilities = ["read", "create", "update", "delete"]
}
The role of maas application is admin.
I have one more query, if I remove this vault, start everything from scratch and try to integrate again with maas, what all will be affected?
vault status is an unauthenticated command. It will succeed even if you will not provide a token. Do you have access to Vault web interface? If yes, can you try to login with the root token and then access secrets, settings, secret-engines, etc.?
Regarding setting up a new Vault: I haven’t tested it but in theory if you could create a new Vault, setup everything again at Vault side and then instead of running maas vault migrate, manually copy all secrets from existing Vault, to new Vault under same names inside the key value v2 secret engine. Let me put it in bold for emphasis: it hasn’t been tested.
My five cents: Let’s try first to solve the token and secret validity and expiration date before proceeding with any risky operation.