Vault RedisDB Secret Engine: "ERR Usernames can't contain spaces or null characters".

Avatar
Akash Gupta
  • Updated

Issue

After configuring a connection with a Redis DB server in the Vault DB secret engine, Vault returns an error that says "ERR Usernames can't contain spaces or null characters" while generating a dynamic cred. This article intends to identify the possible cause/s of the error that was received.

 

Cause

The error "ERR Usernames can't contain spaces or null characters" actually comes from the Redis DB itself when someone or something (like Vault) tries to create a user that contains a space in its username. Check the below snippet that is captured directly from redis-cli:

:~$ redis-cli
127.0.0.1:6379> ACL SETUSER "john smith"

(error) ERR Usernames can't contain spaces or null characters

However, in our case, it's the Vault that is trying to create a dynamic user using the default username_template that contains the .DisplayName field. The .DisplayName renders the "display_name" attribute of the authenticated token.

Hence, when a user that is logged in to Vault has a space in its "display_name" attribute of the authenticated token ("vault token lookup <auth_token>"), fails with the said error when trying to generate a dynamic cred.

 

Solution

  1. The dynamic cred generation perfectly works alright for users with no spaces in their "display_name" attribute of the authenticated token if the secret engine is configured correctly.

  2. Use a customised username_template as and when the feature is incorporated into the Vault Redis DB plugin.

Important

Once an ACL rules (users) are either created or modified/updated, the configuration needs to be persisted to a file to make sure it survives a Redis restart and to do that, we'll have to run either:

  • CONFIG REWRITE, if you are specifying your ACL users/rules inside your main configuration file (the default option).
  • ACL SAVE, if you are using an external ACL file.

Here is how it would look like inside "/etc/redis/redis.conf" after either CONFIG REWRITE or ACL SAVE, check the snippet below:

# authenticating to DB with the default DB user and it's manually created password after generating few dynamic credentials from Vault.
127.0.0.1:6379> auth default Su05ol-7fzu2HHF4JAgW
OK

127.0.0.1:6379> CONFIG REWRITE
OK

127.0.0.1:6379> quit

# after restarting the Redis DB server
:~$ sudo cat /etc/redis/redis.conf | grep -i dynamic
# When dynamic HZ is enabled, the actual configured HZ will be used
dynamic-hz yes
user V_ROOT_MY-DYNAMIC-ROLE_CSCWRXGG5BKL3NJAONGC_1708097631 on sanitize-payload #55e22c224a4ae8326bea802ce85eeda3f60415dcb91e9dd1d3d53b7be2928d92 resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_K0QHRE9YV7PGDZQXBPUE_1708097628 on sanitize-payload #ce65553db534e1c4209a2043e136eaf7fc983315ca934e72e9a47e21d435e572 resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_PJNZN19WSNNJBQCREVWR_1708097643 on sanitize-payload #3f0b4b53d46f98f3f217090b385882d704bd312edc74b8109f643fb74f9102db resetchannels -@all +@admin
user V_ROOT_MY-DYNAMIC-ROLE_WT3H1FSIYBQ7APRAUAT4_1708097631 on sanitize-payload #5941dc87156d211d797c5f3506afb397a22187f53fb1b5cc763a903a082a1354 resetchannels -@all +@admin

 

References

 

Articles in this section

See more

Related articles