Vault Issues

If you suddenly start getting errors when using CAS Manager features, it is possible the Vault token used in your CAS Manager deployment has expired. To diagnose, try the following options:

  1. Run the following command to follow the logs for the secret management service:

    kubectl logs -l app=secretmgmt -f
    

  2. While streaming the secretmgmt logs, try logging in to CAS Manager. If you see the following message in the logs, your Vault token may have expired:

    {"message":"Permission denied","level":"error"}
    

  3. To confirm that the Vault token has expired, run the following command in the location you have the Vault CLI installed:
    vault token lookup <your CAS Manager Vault token>
    
  4. If you get the following message after running this command, then your CAS Manager token has expired or become invalid:
    Error looking up token: Error making API request.
    
    URL: POST https://<your Vault address>/v1/auth/token/lookup
    Code: 403. Errors:
    
    * bad token
    

To fix this issue, create a renewable token and update your CAS Manager's Vault configuration to use that token. To avoid the Vault token from prematurely expiring again, follow the steps outlined here to set up automatic renewal for your Vault token.