Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hashicorp Vault: "Code: 400. Errors" Error Message

Tags:

hashicorp-vault

When using Vault Agent with a secret ID file, I received the following error message:

$ ./vault agent --config auth_config.hcl
==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

           Api Address 1: http://127.0.0.1:8300
                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.3.0

2020-02-04T14:08:28.352-0800 [INFO]  auth.handler: starting auth handler
2020-02-04T14:08:28.352-0800 [INFO]  auth.handler: authenticating
2020-02-04T14:08:28.352-0800 [INFO]  sink.server: starting sink server
2020-02-04T14:08:28.352-0800 [INFO]  template.server: starting template server
2020-02-04T14:08:28.352-0800 [INFO]  template.server: no templates found
2020-02-04T14:08:28.352-0800 [INFO]  template.server: template server stopped
2020-02-04T14:08:28.354-0800 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:

* invalid secret id" backoff=2.190384035

The command I executed was:

vault agent --config auth_config.hcl

The contents of my auth_config.hcl file is:

vault {
  address = "http://127.0.0.1:8200"
}

auto_auth {
  method "approle" {
    config {
      role_id_file_path = "./role_id"
      secret_id_file_path = "./secret_id"
      remove_secret_id_file_after_reading = false
    }
  }

}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8300"
  tls_disable = true
}

My secret ID was generated using the following command:

vault write -f auth/approle/role/payments_service/secret-id -format=json | sed -E -n 's/.*"secret_id": "([^"]*).*/\1/p' > secret_id

Why is this error happening?

like image 879
entpnerd Avatar asked Nov 26 '25 04:11

entpnerd

1 Answers

I found that the usual reason that this happens because the secret ID file wasn't generated correctly in the first place. See this Github thread for example. Unfortunately, in my case, the file was generated. The file secret_id referenced in auth_config.hcl contained the secret ID.

In my case, the problem was that after I generated the file, secret_id, I executed the command vault write -f auth/approle/role/payments_service/secret-id a second time. This new command didn't write over the original file with a new secret ID. The consequence of this new command was that it respawned a new secret ID which invalidated the previous secret ID which was written to the secret_id file.

My solution was to rerun the command that wrote the secret ID to the file, secret_id, and then immediately run the Vault Agent. Problem solved.

like image 149
entpnerd Avatar answered Nov 28 '25 06:11

entpnerd
Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!