Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] New AppRole(s) results in VaultNotFoundError #111

Open
9 tasks
Ramshield opened this issue Feb 6, 2025 · 0 comments
Open
9 tasks

[BUG] New AppRole(s) results in VaultNotFoundError #111

Ramshield opened this issue Feb 6, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@Ramshield
Copy link

Description
I created 2 AppRole mounts, salt-master and salt-minions.
I created a Role (salt-master) with a default policy salt_master which has the allowed endpoints listed here; https://salt-extensions.github.io/saltext-vault/topics/basic_configuration.html#prerequisites where I replaced auth_approle_0a1b2c3d with the accessor name of the salt-minions Auth method.

Then I got the role-id and created a secret-id from the salt-master Auth method. pasted it in my Salt config, restarted salt-master and salt-minion, cleared the cache of both, and ran salt-run vault.sync_approles.

I get the following error:

[DEBUG   ] Starting new HTTPS connection (1): vault.foobar.com:443
[DEBUG   ] https://vault.foobar.com:443 "LIST /v1/auth/salt-minions/role HTTP/1.1" 404 14
[DEBUG   ] The functions from module 'local_cache' are being loaded by dir() on the loaded module
[DEBUG   ] LazyLoaded local_cache.prep_jid
[DEBUG   ] Adding minions for job 20250206095314130513: []
[DEBUG   ] The functions from module 'nested' are being loaded by dir() on the loaded module
[DEBUG   ] LazyLoaded nested.output
Exception occurred in runner vault.sync_approles: Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/mixins.py", line 383, in low
    data["return"] = func(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
    ret = self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/runners/vault.py", line 656, in sync_approles
    for minion in set(minions) & set(list_approles()):
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/runners/vault.py", line 689, in list_approles
    return api.list_approles(mount=_config("issue:approle:mount"))
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/utils/vault/api.py", line 34, in list_approles
    return self.client.list(endpoint)["data"]["keys"]
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/utils/vault/client.py", line 199, in list
    return self.request(
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/utils/vault/client.py", line 262, in request
    self._raise_status(res)
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/utils/vault/client.py", line 414, in _raise_status
    raise VaultNotFoundError(errors)
saltext.vault.utils.vault.exceptions.VaultNotFoundError

Running salt someminion vault.query get auth/token/lookup-self and then salt-run vault.sync_approles fixes this error.
According to @lkubb it is a bug in the AppRole API implementation then, it should catch VaultNotFound and return an empty list instead.

See Discord discussion: https://discord.com/channels/1200072194781368340/1336702553718657095

Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

  • on-prem machine
  • VM (Virtualbox, KVM, etc. please specify)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
(Include debug logs if possible and relevant)

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
PASTE HERE

Additional context
Add any other context about the problem here.
@Ramshield Ramshield added the bug Something isn't working label Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ramshield