revoke_lease not working

[shaneseaton]

My script is logging in with an approle, and using those credentials to call GCP (vault_client.secrets.gcp.generate_service_account_key). After doing some work with the GCP account I wanted to release the keys, so I was trying revoke_lease, but kept getting permission denied.

If I logged in to the CLI with the same approle, I am able to revoke the lease without a problems. Then when looking at the revoke_lease code, and comparing it to the output of

> vault lease revoke -output-curl-string <lease_id>
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"sync":false}' https://my.vault.com/v1/sys/leases/revoke/<lease_id>

I can see the urls are built very differently, and then comparing that again to what the API doco says (https://developer.hashicorp.com/vault/api-docs/system/leases#revoke-lease) is different again, as the API doco say to use a POST method, not PUT.

I am not sure what to make of all it, perhaps its version compatibilities (we are using Vault 1.12.3)??? but I was able to write this little function that did the job. Note I am still using PUT

def my_revoke_lease(client, lease_id, sync=False):
    params = {
        # "lease_id": lease_id,
        "sync": sync
    }
    api_path = f"/v1/sys/leases/revoke/{lease_id}"
    return client._adapter.put(
        url=api_path,
        json=params,
    )

Is anyone able to work out is going on here?

[modwyer42]

I'm seeing this too. Looks like the API has quietly been changed for the revoke.
If you look at the older versions of the API docs you can see the revoke has changed. 1.4.x is using the PUT with 'lease_id' param as used in the HVAC class.
Then:

• 1.8.x introduces the 'sync' param.
• 1.9.x changes the method to POST.

So it looks like the HVAC revoke will potentially only work with v1.8.x and earlier. 😭

[briantist]

As for PUT vs POST: https://developer.hashicorp.com/vault/api-docs#api-operations

Vault currently considers PUT and POST to be synonyms

---

It looks like our revoke_lease method has not been updated in ~5 years, but it should still work.

A feature request should be submitted (with a PR if you're up for it!) to add the sync parameter but it should still be working without it.

The API's documentation is here: https://developer.hashicorp.com/vault/api-docs/system/leases#revoke-lease

Regarding lease_id (emphasis mine):

Specifies the ID of the lease to revoke. This parameter can either be specified in a json request, as shown below, or provided as a path parameter to the endpoint, like /sys/leases/revoke/:lease_id.

So while the CLI is using the path-based approach, the way hvac is doing it currently should be valid.

---

@shaneseaton
If I had to guess what's going on, I'd say that maybe your policies give your token permission to call /sys/leases/revoke/* but not /sys/leases/revoke (a constant source of confusion, I still get tripped on this often), see also: https://github.com/jeffsanicola/vault-policy-guide#folders-vs-endpoints

[shaneseaton]

@briantist Thanks for your response. You are indeed on the money with the permission issue. An easy oversight to make, we have updated our policies and the HVAC calls are working as expected. Thanks, I wouldn't have caught this without your assistance.

[briantist]

Excellent, glad that worked! I've gone and converted this into a Q&A discussion (I wasn't sure previously if it was going to end up being a bug, in which case I would've kept it in an issue).

[shaneseaton]

There is an argument to be made that you would need two methods for revoking, one based on the put/path method, and the other on the post/baseUrl. This would cater for edge case where policies were indeed needed to be /sys/leases/revoke/* and NOT /sys/leases/revoke. TBH It would probably just create confusion, and if anyone needs that edge case they could do something like what I did to workaround things.