-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent Auth Failure When Namespace in ENV and Config file #8534
Comments
Hi! Thanks for posting this issue and for providing such clear and simple issues to reproduce it. I was able to reproduce it locally, as shown here: Terminal output from reproduction
I think what's happening is that in your issue, it's trying to access a namespace of my_namespace within my_namespace, so essentially, a sub-namespace, and it's not authorized to do so. So essentially, if you'd exported a namespace of "fizz", and in your config you used a namespace of "buzz", then the agent would be looking for I do like the idea of Vault using precedence logic rather than attempting to access that namespace from the one you're in. As such, marking this as a bug since I think it's reasonable to expect different behavior. So, basically, the expected behavior in the fizz/buzz example would be that perhaps the env var would take precedence, and Vault would solely look inside the "fizz" namespace. If you actually wanted it to look into "fizz/buzz", you would say that explicitly in either the env var or the config, with the env var taking precedence. |
Describe the bug
When starting vault in agent mode with a config file and directing it to auto-auth an approle, specifying the namespace in the configuration file as well as the environment causes an HTTP400/HTTP403 error (depending on if you're in windows or linux)
Specifying the namespace in only one place, ENV or Config file works as expected.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Specifying the namespace in two places should trigger precedence logic where one negates the other. It appears that something is making this additive and producing an invalid request.
Environment:
vault status
): Vault v1.3.2 (I don't operate the server, but this is what I'm told)vault version
): Vault v1.3.2Vault AGENT configuration file(s):
The text was updated successfully, but these errors were encountered: