Vault Issues

If you suddenly start getting errors when using Anyware Manager features, it is possible the Vault token used in your Anyware Manager deployment has expired. To diagnose, try the following options:

  1. Run the following command to follow the logs for the secret management service:

    kubectl logs -l app=secretmgmt -f

  2. While streaming the secretmgmt logs, try logging in to Anyware Manager. If you see the following message in the logs, your Vault token may have expired:

    {"message":"Permission denied","level":"error"}

  3. To confirm that the Vault token has expired, run the following command in the location you have the Vault CLI installed:
    vault token lookup <your Anyware Manager Vault token>
  4. If you get the following message after running this command, then your Anyware Manager token has expired or become invalid:
    Error looking up token: Error making API request.
    URL: POST https://<your Vault address>/v1/auth/token/lookup
    Code: 403. Errors:
    * bad token

To fix this issue, create a renewable token and update your Anyware Manager's Vault configuration to use that token. To avoid the Vault token from prematurely expiring again, follow the steps outlined here to set up automatic renewal for your Vault token.