尝试从 HashiCorp Vault 获取 appRole 时权限被拒绝

我是 hashicorp 保险库的新手。我创建了一个 docker-compose 文件和一些其他文件来添加一些配置。我这样做是因为我不想在另一台计算机上运行时手动创建秘密和批准。仅供学习之用。

我已经尝试了 2 天，但我不知道自己做错了什么。 运行 docker-compose 后，我进入容器并运行这些命令：

• 这个运行没有任何问题。

  /bin/sh docker-compose-configs/vault-config/init-vault.sh

• 但是在这个中，我得到一个错误

  / # 库列表 auth/approle/role 列出 auth/approle/role 时出错：发出 API 请求时出错。

  网址：获取http://127.0.0.1:8200/v1/auth/approle/role?list=true 代码：403。错误：

  • 权限被拒绝

这些是我的文件：

Docker 撰写：

version: '3'

services:
  vault:
    image: vault:latest
    container_name: ticketflow-vault
    ports:
      - "8200:8200"
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: ticketflow-token
      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
      VAULT_ADDR: "http://127.0.0.1:8200"
    cap_add:
      - IPC_LOCK
    restart: always
    volumes:
      - vault-data:/vault/file
      - vault-logs:/vault/logs
      - ./vault-config:/docker-compose-configs/vault-config
volumes:
  vault-data:
  vault-logs:

config.hcl:

    storage "file" {
  path = "/vault/file"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

ui = true
api_addr = "http://127.0.0.1:8200"

init-vault.sh:

#!/bin/sh

chmod +x /docker-compose-configs/vault-config/*.sh
/docker-compose-configs/vault-config/import-approle.sh
/docker-compose-configs/vault-config/import-secrets.sh

import-secrets.sh:

#!/bin/sh

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'

while true; do
  vault_status=$(vault status -format=json)
  if echo "$vault_status" | grep -q '"sealed": false'; then
    break
  fi
  sleep 5
done

echo "Importing secrets..."
while read line; do
  key=$(echo $line | cut -d '=' -f 1)
  value=$(echo $line | cut -d '=' -f 2)
  echo "Importing secret: authentication.$key"
  vault kv put secret/ticketflow/development/authentication.$key value=$value
done < /docker-compose-configs/vault-config/secrets.txt

echo "Secrets imported successfully."

import-approle.sh:

#!/bin/sh

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'

vault auth enable approle

vault policy write ticketflow -<<EOT
path "secret/ticketflow/development/*" {
  capabilities = ["read", "list"]
}
path "auth/approle/role/*" {
  capabilities = ["read", "list", "create", "update"]
}
path "sys/policies/acl/*" {
  capabilities = ["read"]
}
EOT

vault write auth/approle/role/ticketflow \
    token_policies="ticketflow" \
    token_ttl=1h \
    token_max_ttl=24h \
    secret_id_num_uses=0 \
    secret_id_ttl=0 \
    token_num_uses=0 \
    token_period=0

vault write auth/approle/role/ticketflow \
    token_policies="ticketflow" \
    token_ttl=1h \
    token_max_ttl=24h

vault read auth/approle/role/ticketflow/role-id
vault write -f auth/approle/role/ticketflow/secret-id

secrets.txt：

client_secret=45edaa89-16cb-41e2-aee5-970ab971ee9c
client_id=Authentication-client
REALM=TicketFlow