You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# vault kv put packet/config api_token=a-project-key
# vault kv put packet/role/foo type=project ttl=30 max_ttl=3600 project_id=xxx-xxx-xxx-xxx-xxx read_only=false
and then I created a key and revoked it. Vault's log shows an error in revocation:
Mar 28 12:37:43 kif vault[4655]: 2020-03-28T12:37:43.906Z [ERROR] expiration: failed to revoke lease: lease_id=packet/creds/foo/xxxxxxx error="failed to revoke entry: resp: (*logical.Response)(nil) err: DELETE https://api.packet.net/user/api-keys/xxxxxxxxxx: 403 Access denied for the current authentication token "
Looking at the user portal, this is the request to delete a project key:
Hey @grahamc, I've just tried to create a project key B (kv get to packet/role/foo) with project key A (from packet/config). It's possible. However, revoking key B with key A will err with {"errors":["Access denied for the current authentication token"]}. I.e. it's not possible to remove project key B with project key A (just as you wrote). I think it's fundamentally an API issue.
This actually can't even be sanitized, because packet/config is not aware if the key is project or user key.
I should definitely mention this in the readme, or in the docstrings in the code. also, we should create an API issue. Do you have other thoughts on how to proceed about this?
Maybe one method would be to test that the key is a user key: on configuration or at startup time, create a temporary user key and immediately delete it. If it is a user key, this will go fine -- if it is a project key, it will fail to create it in the first place. That said, project keys should be able to delete project keys!
I've run:
and then I created a key and revoked it. Vault's log shows an error in revocation:
Looking at the user portal, this is the request to delete a project key:
This plugin should probably have a way to clean up keys made this way, too: I don't really want to use a user key.
The text was updated successfully, but these errors were encountered: