Skip to content

Vault can't handle properly AWS RDS postgresql multi-az failover  #6792

New issue
New issue
Closed
Closed
Vault can't handle properly AWS RDS postgresql multi-az failover #6792
Labels
bugUsed to indicate a potential bugcommunity-sentimentTracking high-profile issues from the communitysecret/database
@zenathar

Description

@zenathar
zenathar
opened on May 28, 2019

Environment:

  • Vault Version: 1.1.2
  • Operating System/Architecture: centos-release-7-2.1511.el7.centos.2.10.x86_64

Vault Config File:

backend "consul" {
  address = "127.0.0.1:8500"
  path = "vault"
}

listener "tcp" {
  address = "x.x.x.x:8200"
  tls_disable = 1
}

ha_backend "consul" {
  api_addr = "http:/[[vault_dns_name]]:8200"
  cluster_addr = "http://[[vault_dns_name]]:8201"
}

cluster_name = "xxx"
ui = false

Startup Log Output:

May 28 11:26:35 [censored] systemd[1]: Started Vault.
May 28 11:26:35 [censored] systemd[1]: Starting Vault...
May 28 11:26:35 [censored] vault[2140]: ==> Vault server configuration:
May 28 11:26:35 [censored] vault[2140]: HA Storage: consul
May 28 11:26:35 [censored] vault[2140]: Api Address: http://[censored]:8200
May 28 11:26:35 [censored] vault[2140]: Cgo: disabled
May 28 11:26:35 [censored] vault[2140]: Cluster Address: https://[censored]:8201
May 28 11:26:35 [censored] vault[2140]: Listener 1: tcp (addr: "[censored]:8200", cluster address: "[censored]:8201", max_request_duration: "1m30s", max
_request_size: "33554432", tls: "disabled")
May 28 11:26:35 [censored] vault[2140]: Log Level: info
May 28 11:26:35 [censored] vault[2140]: Mlock: supported: true, enabled: true
May 28 11:26:35 [censored] vault[2140]: Storage: consul
May 28 11:26:35 [censored] vault[2140]: Version: Vault v1.1.2
May 28 11:26:35 [censored] vault[2140]: Version Sha: 0082501623c0b704b87b1fbc84c2d725994bac54
May 28 11:26:35 [censored] vault[2140]: ==> Vault server started! Log data will stream in below:
May 28 11:26:35 [censored] vault[2140]: 2019-05-28T11:26:35.921Z [WARN]  storage.consul: appending trailing forward slash to path
May 28 11:26:35 [censored] vault[2140]: 2019-05-28T11:26:35.923Z [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to d
etection if possible, but this value should be manually set
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.819Z [INFO]  core: vault is unsealed
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.821Z [INFO]  core.cluster-listener: starting listener: listener_address=[censored]:8201
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.821Z [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=[censored]:8201
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.821Z [INFO]  core: entering standby mode
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.844Z [INFO]  core: acquired lock, enabling active operation
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.890Z [INFO]  core: post-unseal setup starting
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.892Z [INFO]  core: loaded wrapping token key
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.892Z [INFO]  core: successfully setup plugin catalog: plugin-directory=
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.896Z [INFO]  core: successfully mounted backend: type=kv path=secret/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.896Z [INFO]  core: successfully mounted backend: type=system path=sys/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.896Z [INFO]  core: successfully mounted backend: type=identity path=identity/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.896Z [INFO]  core: successfully mounted backend: type=database path=database/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.896Z [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.911Z [INFO]  core: successfully enabled credential backend: type=token path=token/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.911Z [INFO]  core: successfully enabled credential backend: type=approle path=approle/
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.911Z [INFO]  core: restoring leases
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.911Z [INFO]  rollback: starting rollback manager
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.918Z [INFO]  identity: entities restored
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.920Z [INFO]  identity: groups restored
May 28 11:27:05 [censored] vault[2140]: 2019-05-28T11:27:05.922Z [INFO]  core: post-unseal setup complete
May 28 11:27:06 [censored] vault[2140]: 2019-05-28T11:27:06.067Z [INFO]  expiration: lease restore complete

Expected Behavior:
After multi-az failover on postgresql on AWS RDS vault should properly generate new credentials when requested.

Actual Behavior:
After multi-az failover vault hangs maximum amount of time (90s) on generating new credentials, then times out. Credentials are properly generated in about 5-20 minutes after failover.
Additionaly, there is no traffic seen in tcpdump for both ip adresses of AWS rds postgresql - old one (before) and new one (after failover).
Issue won't occur on AWS rds mysql

Steps to Reproduce:

  1. Create aws postgresql with multi-az enabled
  2. Execute following statement on newly created database:
CREATE ROLE vault_root ROLE root; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO vault_root; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO vault_root; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO vault_root; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO vault_root;'"
  1. Create postgresql database config as described:
/vault read database/config/db
Key                                   Value
---                                   -----
allowed_roles                         [db_rw]
connection_details                    map[max_open_connections:4 connection_url:postgresql://root:*****@[db_url]:5432/db max_connection_lifetime:5s max_idle_connections:-1]
plugin_name                           postgresql-database-plugin
root_credentials_rotate_statements    []
  1. Create postgresql database role as described:
[root@aint2vault01b vault]# ./vault read database/roles/db_rw
Key                      Value
---                      -----
creation_statements      [CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' IN ROLE vault_root; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO "{{name}}";]
db_name                 db
default_ttl              1h
max_ttl                  800000h
renew_statements         []
revocation_statements    []
rollback_statements      []
  1. Reboot AWS postgresql database - - tick "Reboot With Failover?" checkbox
  2. Wait about minute-two and try to read database/creds/db_rw

Important Factoids:

References:

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUsed to indicate a potential bugcommunity-sentimentTracking high-profile issues from the communitysecret/database

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions