Vault RedisDB Secret Engine: "ERR Usernames can't contain spaces or null characters".

Avatar
Akash Gupta
  • Updated

Issue

After configuring a connection with a Redis DB server in the Vault DB secret engine, Vault returns the following error (error) ERR Usernames can't contain spaces or null characters when generating dynamic credentials.

 

Cause

The error (error) ERR Usernames can't contain spaces or null characters is returned from Redis when a user that contains a space in its username is requested. 

Example from redis-cli:

:~$ redis-cli
127.0.0.1:6379> ACL SETUSER "john smith"

(error) ERR Usernames can't contain spaces or null characters

 

Vault will create a dynamic user using the default username_template which contains the .DisplayName field. The .DisplayName renders the "display_name" attribute of the authenticated token. If the user logged in to Vault has a space in their "display_name" attribute field from their token vault token lookup <auth_token> , the dynamic credential request will fail with the error. 

 

Solution

  1. Request dynamic credentials with a different auth method which does not contain spaces in the "display_name".

Important

Once an ACL rules (users) are either created or modified/updated, the configuration needs to be persisted to a file to make sure it survives a Redis restart. 

  • CONFIG REWRITE, if you are specifying your ACL users/rules inside your main configuration file (the default option).
  • ACL SAVE, if you are using an external ACL file.

Example of  /etc/redis/redis.conf using either CONFIG REWRITE or ACL SAVE.

# authenticating to DB with the default DB user and it's manually created password after generating few dynamic credentials from Vault.
127.0.0.1:6379> auth default Su05ol-7fzu2HHF4JAgW
OK

127.0.0.1:6379> CONFIG REWRITE
OK

127.0.0.1:6379> quit

# after restarting the Redis DB server
:~$ sudo cat /etc/redis/redis.conf | grep -i dynamic
# When dynamic HZ is enabled, the actual configured HZ will be used
dynamic-hz yes
user V_ROOT_MY-DYNAMIC-ROLE_CSCWRXGG5BKL3NJAONGC_1708097631 on sanitize-payload #55e22c224a4ae8326bea802ce85eeda3f60415dcb91e9dd1d3d53b7be2928d92 resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_K0QHRE9YV7PGDZQXBPUE_1708097628 on sanitize-payload #ce65553db534e1c4209a2043e136eaf7fc983315ca934e72e9a47e21d435e572 resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_PJNZN19WSNNJBQCREVWR_1708097643 on sanitize-payload #3f0b4b53d46f98f3f217090b385882d704bd312edc74b8109f643fb74f9102db resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_WT3H1FSIYBQ7APRAUAT4_1708097631 on sanitize-payload #5941dc87156d211d797c5f3506afb397a22187f53fb1b5cc763a903a082a1354 resetchannels -@all +@admin

 

References

 

 

Articles in this section

See more

Related articles