Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keys can't be revoked when configured with a Project key #11

Open
grahamc opened this issue Mar 28, 2020 · 3 comments
Open

Keys can't be revoked when configured with a Project key #11

grahamc opened this issue Mar 28, 2020 · 3 comments
Milestone
v0.5.0

Comments

@grahamc
Copy link
Contributor

grahamc commented Mar 28, 2020

I've run:

      # vault kv put packet/config api_token=a-project-key
      # vault kv put packet/role/foo type=project ttl=30 max_ttl=3600 project_id=xxx-xxx-xxx-xxx-xxx read_only=false

and then I created a key and revoked it. Vault's log shows an error in revocation:

Mar 28 12:37:43 kif vault[4655]: 2020-03-28T12:37:43.906Z [ERROR] expiration: failed to revoke lease: lease_id=packet/creds/foo/xxxxxxx error="failed to revoke entry: resp: (*logical.Response)(nil) err: DELETE https://api.packet.net/user/api-keys/xxxxxxxxxx: 403 Access denied for the current authentication token "

Looking at the user portal, this is the request to delete a project key:

Request URL:https://api.packet.net/api-keys/xxxxxxxxxxxxxxx?token=...
Request Method:DELETE

This plugin should probably have a way to clean up keys made this way, too: I don't really want to use a user key.
@t0mk
Copy link
Contributor

t0mk commented Apr 2, 2020

Hey @grahamc, I've just tried to create a project key B (kv get to packet/role/foo) with project key A (from packet/config). It's possible. However, revoking key B with key A will err with {"errors":["Access denied for the current authentication token"]}. I.e. it's not possible to remove project key B with project key A (just as you wrote). I think it's fundamentally an API issue.

This actually can't even be sanitized, because packet/config is not aware if the key is project or user key.

I should definitely mention this in the readme, or in the docstrings in the code. also, we should create an API issue. Do you have other thoughts on how to proceed about this?

@grahamc
Copy link
Contributor Author

grahamc commented Apr 2, 2020

Maybe one method would be to test that the key is a user key: on configuration or at startup time, create a temporary user key and immediately delete it. If it is a user key, this will go fine -- if it is a project key, it will fail to create it in the first place. That said, project keys should be able to delete project keys!

@displague displague mentioned this issue Nov 17, 2020
Closed
@t0mk t0mk mentioned this issue Nov 17, 2020
Closed
@displague
Copy link
Member

Project API keys can now successfully create and destroy project SSH keys.

Does that resolve this issue?

@displague displague added this to the v0.5.0 milestone Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.5.0
Development

No branches or pull requests
3 participants
@grahamc @displague @t0mk