Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Unable to create new GCP roleset, Vault server crashes #4344

Closed
naveg opened this issue Apr 12, 2018 · 1 comment
Closed

Unable to create new GCP roleset, Vault server crashes #4344

naveg opened this issue Apr 12, 2018 · 1 comment

Comments

@naveg
Copy link

naveg commented Apr 12, 2018

Environment:

  • Vault Version: v0.10.0
  • Operating System/Architecture: Arch Linux, kernel 4.15.5

Vault Config File:

/*
 * Vault configuration. See: https://vaultproject.io/docs/config/
 */

backend "file" {
	path = "/var/lib/vault"
}

listener "tcp" {
	/*
	 * By default Vault listens on localhost only.
	 * Make sure to enable TLS support otherwise.
	 */
	tls_disable = 1
}

Startup Log Output:

Apr 12 11:47:00 reeko systemd[1]: Started Vault server.
Apr 12 11:47:00 reeko vault[988]: ==> Vault server configuration:
Apr 12 11:47:00 reeko vault[988]:                      Cgo: enabled
Apr 12 11:47:00 reeko vault[988]:               Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
Apr 12 11:47:00 reeko vault[988]:                Log Level: info
Apr 12 11:47:00 reeko vault[988]:                    Mlock: supported: true, enabled: true
Apr 12 11:47:00 reeko vault[988]:                  Storage: file
Apr 12 11:47:00 reeko vault[988]:                  Version: Vault v0.10.0
Apr 12 11:47:00 reeko vault[988]: ==> Vault server started! Log data will stream in below:
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.460-0700 [INFO ] core: vault is unsealed
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.460-0700 [INFO ] core: post-unseal setup starting
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.460-0700 [INFO ] core: loaded wrapping token key
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.460-0700 [INFO ] core: successfully setup plugin catalog: plugin-directory=
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.461-0700 [INFO ] core: successfully mounted backend: type=kv path=secret/
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.461-0700 [INFO ] core: successfully mounted backend: type=system path=sys/
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.461-0700 [INFO ] core: successfully mounted backend: type=identity path=identity/
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.462-0700 [INFO ] core: successfully mounted backend: type=gcp path=gcp/
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.462-0700 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.464-0700 [INFO ] core: restoring leases
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.464-0700 [INFO ] rollback: starting rollback manager
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.464-0700 [INFO ] expiration: lease restore complete
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.465-0700 [INFO ] identity: entities restored
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.465-0700 [INFO ] identity: groups restored
Apr 12 11:50:01 reeko vault[988]: 2018-04-12T11:50:01.465-0700 [INFO ] core: post-unseal setup complete
Apr 12 11:51:01 reeko vault[988]: panic: runtime error: invalid memory address or nil pointer dereference
Apr 12 11:51:01 reeko vault[988]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x5648d7a0d27b]
Apr 12 11:51:01 reeko vault[988]: goroutine 205 [running]:
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin.(*backend).serviceAccountPolicyRollback(0xc420076ba0, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0x5648d95ef9a0, 0xc4208f9d40, 0x0, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/rollback.go:162 +0x18b
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin.(*backend).walRollback(0xc420076ba0, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0xc420746b50, 0xa, 0x5648d95ef9a0, 0xc4208f9d40, 0xc4208f9ce0, 0xc42056e640)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/rollback.go:33 +0x1a8
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin.(*backend).(github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin.walRollback)-fm(0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0xc420746b50, 0xa, 0x5648d95ef9a0, 0xc4208f9d40, 0x0, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/backend.go:65 +0x7f
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/logical/framework.(*Backend).handleWALRollback(0xc420596a90, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0x28, 0xc4207c5e00, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/logical/framework/backend.go:461 +0x343
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/logical/framework.(*Backend).handleRollback(0xc420596a90, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0x65313336b8009ce6, 0x6330632d32633463, 0xc420066b30)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/logical/framework/backend.go:409 +0x58
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc420596a90, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0x0, 0x0, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/logical/framework/backend.go:171 +0x696
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc4205aaac0, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0x5648d7360800, 0x0, 0x5648d99c0000, 0x0, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vault/router.go:530 +0x7b1
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vault.(*Router).Route(0xc4205aaac0, 0x5648d9a34b80, 0xc4205bf9c0, 0xc4205059e0, 0xc42017c360, 0xc420620c30, 0x4)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vault/router.go:381 +0x50
Apr 12 11:51:01 reeko vault[988]: github.com/hashicorp/vault/vault.(*RollbackManager).attemptRollback(0xc42017c360, 0x5648d9a34b80, 0xc4205bf9c0, 0xc420620c30, 0x4, 0xc4208668e0, 0x0, 0x0)
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vault/rollback.go:171 +0x2ae
Apr 12 11:51:01 reeko vault[988]: created by github.com/hashicorp/vault/vault.(*RollbackManager).startRollback
Apr 12 11:51:01 reeko vault[988]:         /build/vault/src/src/github.com/hashicorp/vault/vault/rollback.go:146 +0x13f
Apr 12 11:51:01 reeko systemd[1]: vault.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Apr 12 11:51:01 reeko systemd[1]: vault.service: Failed with result 'exit-code'.

Expected Behavior:

We are attempting to use the GPC secrets backend to manage keys for a nightly backup job that writes files to a cloud storage bucket.

Actual Behavior:

vault write gcp/roleset/test-roleset ... successfully creates a GCP service account, but eventually fails with a 400. A few seconds later, vault server crashes with the log above.

Error writing data to gcp/roleset/redis-backup-roleset: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/test-roleset
Code: 400. Errors:

* unable to set policy: googleapi: Error 400: A policy to update must be provided., required

Steps to Reproduce:

vault secrets enable gcp
vault write gcp/config credentials="@vault-creds.json"
vault write gcp/roleset/test-roleset \
  project="my-project" \
  secret_type="access_token" \
  bindings=@test-roleset.hcl \
  token_scopes="https://www.googleapis.com/auth/devstorage.read_write"

the bindings file contains:

resource "buckets/my-storage-bucket" {
  roles = [
    "roles/storage.objectCreator"
  ]
}

The vault-creds.json file is a service account key file generated by Google, for a service account with a role containing:

iam.serviceAccountKeys.create
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.update
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.getIamPolicy
storage.objects.setIamPolicy
@emilymye
Copy link
Contributor

emilymye commented Apr 12, 2018
edited
Loading

@naveg @jefferai Please close this issue - I have copied it over to the GCP secrets backend.

@emilymye emilymye mentioned this issue Apr 12, 2018
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@naveg @briankassouf @emilymye