Skip to content

VaultEnt 1.12: sys.init method is no longer parsing options correctly for transit unseal types #278

New issue
New issue
Open
Open
VaultEnt 1.12: sys.init method is no longer parsing options correctly for transit unseal types#278
@rethridge-lbi

Description

@rethridge-lbi
rethridge-lbi
opened on Dec 1, 2022

We use a transit node and auto-unseal for our Vault infrastructure.
We have code that initializes vault as such:
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})

This has been working since implementation in the 1.11.x branch of Vault.

We recently upgraded to Vault Enterprise 1.12.1 and it seems like these options are no longer being parsed correctly. Even though we are still passing in recovery_shares as the init option, the values are no longer being parsed by the API and it thinks we are trying to use secret_shares for a transit seal????

Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})

=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">
irb(main):032:0> Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
Traceback (most recent call last):
        8: from /usr/bin/irb:23:in `<main>'
        7: from /usr/bin/irb:23:in `load'
        6: from /usr/share/gems/gems/irb-1.2.3/exe/irb:11:in `<top (required)>'
        5: from (irb):32
        4: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/api/sys/init.rb:70:in `init'
        3: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:206:in `put'
        2: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:300:in `request'
        1: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:411:in `error'
Vault::HTTPClientError (The Vault server at `https://si-vault-mainline-01.infra.bwi:8200' responded with a 400.)
Any additional information the server supplied is shown below:

  * parameters secret_shares,secret_threshold not applicable to seal type transit

Please refer to the documentation for help.

We downgraded back to Vault Enterprise 1.11.4 and the library works again as expected:

Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">

I know you see the root token above, but this is a sandbox so it does not matter

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions