Unable to login using approle

See original GitHub issue

I am able to use the vault cli and the rest api via curl to use a role id and secret id to get a token, I am also able to login using the token and get a secret. When I use the same role id and secret id with the vault jenkins plugin I get an error that the token is missing. I am running Jenkins 2.159, and Vault plugin version 3.3.0. Vault server version is 1.3.2

The configuration for the vault plugin contains my vault url which I can’t disclose but is the same url I used successfully with the CLI. My credential is vault_tools_approle which I will detail below. The vault name space is blank. I have K/V engine version set to “2”. I have fail on path unchecked, and I have skip ssl verification unchecked. My vault url is https. My time out is 60.

The vault credential contains the role id and secret id that I used during my tests with the rest api and the cli. The path is set to: v1/auth/app/prod/login The id and and description are set to: vault_tools_approle

This is an example of the curl and CLI commands I used to get a token, login, and then get a secret which works. The role id, secret ID, and url are removed.

curl --request POST --data ‘{“role_id”:“XXXXXX”,“secret_id”:“XXXX”}’ https://URL/v1/auth/app/prod/login

vault login TOKEN vault kv get v1/ci/kv/maven/test

In my Jenkins file I have the following code. When I run this it will print “VAULT TEST 1”, but does not print the “VAULT TEST 2” and fails. The error and stack trace are below.

   stage('Vault') {
        println("VAULT TEST 1")

        def secrets = [
          [path: 'v1/ci/kv/maven/test', secretValues: [
            [envVar: 'testUser', vaultKey: 'user'],
            [envVar: 'testPassword', vaultKey: 'password']]
          ]
        ]

        withVault([vaultSecrets: secrets]) {
          println("VAULT TEST 2")
          sh 'echo $testUser'
          sh 'echo $testPassword'
        }
    }

com.bettercloud.vault.VaultException: Vault responded with HTTP status code: 400
Response body: {"errors":["missing client token"]}

	at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:524)
	at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.getToken(VaultAppRoleCredential.java:54)
Caused: com.datapipe.jenkins.vault.exception.VaultPluginException: could not log in into vault
	at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.getToken(VaultAppRoleCredential.java:57)
	at com.datapipe.jenkins.vault.credentials.AbstractVaultTokenCredential.authorizeWithVault(AbstractVaultTokenCredential.java:20)
	at com.datapipe.jenkins.vault.VaultAccessor.init(VaultAccessor.java:39)
	at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:148)
	at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:95)
	at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:10 (2 by maintainers)

Top GitHub Comments

2reactions

sfc-gh-tvidyasankarcommented, Jul 28, 2020

I had similar issue.

Only mistake i did from my end was , use the Path in credentials to have actual path of vault instead of add credentials (make sure Path == ‘approle’) as mentioned by @shipilovds

After i modified Path to “approle” , it worked like charm

1reaction

jetersencommented, Aug 21, 2020

Update:

I was able to fix this by explicitly setting setEngineVersion() when creating credentials. It seems like, at least in the UI, individual credentials seem to show that they default to 2 but apparently are null which causes that exception after the message:

08-18 05:51:42.584+0000 [id=266470] INFO com.bettercloud.vault.Vault#<init>: Constructing a Vault instance with no provided Engine version, defaulting to version 2. 2020-08-18 05:51:42.655+0000 [id=266470] WARNING

When setting this explicitly on the credential this problem completely went away. Of course this also works if you create the credentials through the UI. So perhaps, when using the API to create credentials via VaultStringCredentialImpl, VaultSSHUserPrivateKeyImpl, or VaultUsernamePasswordCredentialImpl the engine version should be set on construction when not specified since the claim is that the default is always 2.

@aajimal seems like a separate issue and is being dealt with in #122

I am hitting the same issue even with path set to approle. The work-around mentioned by @shipilovds w/ deleting everything and re-creating seems to work though but this may not be sustainable because all of our vault configuration and credentials are setup through jenkins init.groovy.d scripts on each start.

For your case with init.groovy.d you would add path to be set during inside your groovy for any approle

I have created #123 to hopefully fix the potential null pointer I suspect that people experience.

If your still having issue you have to configure your VaultAppRoleCredential and set the correct auth path for your approles ie. you can have multiple approles on a different paths. See https://www.vaultproject.io/docs/auth/approle