Agent Auth Failure When Namespace in ENV and Config file

[acilate]

Describe the bug
When starting vault in agent mode with a config file and directing it to auto-auth an approle, specifying the namespace in the configuration file as well as the environment causes an HTTP400/HTTP403 error (depending on if you're in windows or linux)

Specifying the namespace in only one place, ENV or Config file works as expected.

To Reproduce
Steps to reproduce the behavior:

1. export VAULT_NAMESPACE='my_namespace'
2. vault agent -config ./agent-config.hcl

==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: trace
                 Version: Vault v1.3.2

2020-03-11T11:07:44.214-0700 [INFO]  sink.file: creating file sink
2020-03-11T11:07:44.214-0700 [TRACE] sink.file: enter write_token: path=./token
2020-03-11T11:07:44.214-0700 [TRACE] sink.file: exit write_token: path=./token
2020-03-11T11:07:44.214-0700 [INFO]  sink.file: file sink configured: path=./token mode=-rw-r-----
2020-03-11T11:07:44.215-0700 [INFO]  auth.handler: starting auth handler
2020-03-11T11:07:44.215-0700 [INFO]  auth.handler: authenticating
2020-03-11T11:07:44.215-0700 [INFO]  template.server: starting template server
2020-03-11T11:07:44.215-0700 [INFO]  sink.server: starting sink server
2020-03-11T11:07:44.215-0700 [INFO]  template.server: no templates found
2020-03-11T11:07:44.215-0700 [INFO]  template.server: template server stopped
2020-03-11T11:07:45.256-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT https://vault.addr/v1/my_namespace/auth/approle/login
Code: 403. Errors:

* 1 error occurred:
	* permission denied

" backoff=1.158592927

Expected behavior
Specifying the namespace in two places should trigger precedence logic where one negates the other. It appears that something is making this additive and producing an invalid request.

Environment:

• Vault Server Version (retrieve with vault status): Vault v1.3.2 (I don't operate the server, but this is what I'm told)
• Vault CLI Version (retrieve with vault version): Vault v1.3.2
• Server Operating System/Architecture: Linux x64

Vault AGENT configuration file(s):

pid_file = "./vault-agent.pid"

vault {
    address = "https://vault.addr"
}

auto_auth {
    method "approle" {
        namespace = "my_namespace"
        config = {
            role_id_file_path = "./role-id"
            secret_id_file_path = "./secret-id"
        }
    }

    sink "file" {
        config = {
            path = "./token"
        }
    }
}

[tyrannosaurus-becks]

Hi! Thanks for posting this issue and for providing such clear and simple issues to reproduce it.

I was able to reproduce it locally, as shown here:

Terminal output from reproduction

tbex@pop-os:~/Desktop$ echo $VAULT_NAMESPACE

tbex@pop-os:~/Desktop$ vault namespace create my_namespace
Key     Value
---     -----
id      Np3h5
path    my_namespace/
tbex@pop-os:~/Desktop$ export VAULT_NAMESPACE=my_namespace
tbex@pop-os:~/Desktop$ vault auth enable approle
Success! Enabled approle auth method at: approle/
tbex@pop-os:~/Desktop$ vault write auth/approle/role/my-role \
>     secret_id_ttl=10m \
>     token_num_uses=10 \
>     token_ttl=20m \
>     token_max_ttl=30m \
>     secret_id_num_uses=40
Success! Data written to: auth/approle/role/my-role
tbex@pop-os:~/Desktop$ vault read auth/approle/role/my-role/role-id
Key        Value
---        -----
role_id    8b8cb2af-b537-4e14-bb70-a9b8aafb192a
tbex@pop-os:~/Desktop$ vault write -f auth/approle/role/my-role/secret-id
Key                   Value
---                   -----
secret_id             d28bf5c9-d86e-508f-007f-6fc96ba243b2
secret_id_accessor    9b0a726c-7316-5924-d3c1-d0bc72036122
# Write the role and secret ids to files at the path in my config below.
tbex@pop-os:~/Desktop$ nano role-id
tbex@pop-os:~/Desktop$ nano secret-id
tbex@pop-os:~/Desktop$ cat agent-config.hcl 
pid_file = "./vault-agent.pid"

vault {
    address = "https://vault.addr"
}

auto_auth {
    method "approle" {
        namespace = "my_namespace"
        config = {
            role_id_file_path = "/home/tbex/Desktop/role-id"
            secret_id_file_path = "/home/tbex/Desktop/secret-id"
        }
    }

    sink "file" {
        config = {
            path = "./token"
        }
    }
}
tbex@pop-os:~/Desktop$ vault agent -config ./agent-config.hcl
==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.4.0-beta1+prem
             Version Sha: c72252484bec69cf73e6299bd705fbf297a48f4c

2020-03-11T15:09:41.082-0700 [INFO]  sink.file: creating file sink
2020-03-11T15:09:41.082-0700 [INFO]  sink.file: file sink configured: path=./token mode=-rw-r-----
2020-03-11T15:09:41.082-0700 [INFO]  sink.server: starting sink server
2020-03-11T15:09:41.082-0700 [INFO]  auth.handler: starting auth handler
2020-03-11T15:09:41.082-0700 [INFO]  auth.handler: authenticating
2020-03-11T15:09:41.082-0700 [INFO]  template.server: starting template server
2020-03-11T15:09:41.082-0700 [INFO]  template.server: no templates found
2020-03-11T15:09:41.082-0700 [INFO]  template.server: template server stopped
2020-03-11T15:09:41.084-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login
Code: 404. Errors:

* no handler for route 'my_namespace/auth/approle/login'" backoff=2.942328953
2020-03-11T15:09:44.026-0700 [INFO]  auth.handler: authenticating
2020-03-11T15:09:44.027-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login
Code: 404. Errors:

* no handler for route 'my_namespace/auth/approle/login'" backoff=2.672276819
2020-03-11T15:09:46.700-0700 [INFO]  auth.handler: authenticating
2020-03-11T15:09:46.701-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login
Code: 404. Errors:

* no handler for route 'my_namespace/auth/approle/login'" backoff=2.674011764
2020-03-11T15:09:49.375-0700 [INFO]  auth.handler: authenticating
2020-03-11T15:09:49.376-0700 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://localhost:8200/v1/my_namespace/auth/approle/login
Code: 404. Errors:

* no handler for route 'my_namespace/auth/approle/login'" backoff=2.066340913
^C==> Vault agent shutdown triggered
2020-03-11T15:09:49.551-0700 [INFO]  sink.server: sink server stopped
2020-03-11T15:09:49.551-0700 [INFO]  auth.handler: auth handler stopped
tbex@pop-os:~/Desktop$ unset VAULT_NAMESPACE
# rewrite the secret-id which was deleted at the end of the run earlier
tbex@pop-os:~/Desktop$ nano secret-id
tbex@pop-os:~/Desktop$ vault agent -config ./agent-config.hcl
==> Vault server started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.4.0-beta1+prem
             Version Sha: c72252484bec69cf73e6299bd705fbf297a48f4c

2020-03-11T15:10:37.110-0700 [INFO]  sink.file: creating file sink
2020-03-11T15:10:37.110-0700 [INFO]  sink.file: file sink configured: path=./token mode=-rw-r-----
2020-03-11T15:10:37.110-0700 [INFO]  sink.server: starting sink server
2020-03-11T15:10:37.110-0700 [INFO]  auth.handler: starting auth handler
2020-03-11T15:10:37.110-0700 [INFO]  auth.handler: authenticating
2020-03-11T15:10:37.110-0700 [INFO]  template.server: starting template server
2020-03-11T15:10:37.110-0700 [INFO]  template.server: no templates found
2020-03-11T15:10:37.110-0700 [INFO]  template.server: template server stopped
2020-03-11T15:10:37.112-0700 [INFO]  auth.handler: authentication successful, sending token to sinks
2020-03-11T15:10:37.112-0700 [INFO]  auth.handler: starting renewal process
2020-03-11T15:10:37.113-0700 [INFO]  sink.file: token written: path=./token
2020-03-11T15:10:37.115-0700 [INFO]  auth.handler: renewed auth token
^C==> Vault agent shutdown triggered
2020-03-11T15:10:42.766-0700 [INFO]  sink.server: sink server stopped
2020-03-11T15:10:42.766-0700 [INFO]  auth.handler: shutdown triggered, stopping lifetime watcher
2020-03-11T15:10:42.766-0700 [INFO]  auth.handler: auth handler stopped

I think what's happening is that in your issue, it's trying to access a namespace of my_namespace within my_namespace, so essentially, a sub-namespace, and it's not authorized to do so. So essentially, if you'd exported a namespace of "fizz", and in your config you used a namespace of "buzz", then the agent would be looking for https://vault.addr/v1/buzz/auth/approle/login from within the namespace of "fizz".

I do like the idea of Vault using precedence logic rather than attempting to access that namespace from the one you're in. As such, marking this as a bug since I think it's reasonable to expect different behavior.

So, basically, the expected behavior in the fizz/buzz example would be that perhaps the env var would take precedence, and Vault would solely look inside the "fizz" namespace. If you actually wanted it to look into "fizz/buzz", you would say that explicitly in either the env var or the config, with the env var taking precedence.