Keys can't be revoked when configured with a Project key

[grahamc]

I've run:

      # vault kv put packet/config api_token=a-project-key
      # vault kv put packet/role/foo type=project ttl=30 max_ttl=3600 project_id=xxx-xxx-xxx-xxx-xxx read_only=false

and then I created a key and revoked it. Vault's log shows an error in revocation:

Mar 28 12:37:43 kif vault[4655]: 2020-03-28T12:37:43.906Z [ERROR] expiration: failed to revoke lease: lease_id=packet/creds/foo/xxxxxxx error="failed to revoke entry: resp: (*logical.Response)(nil) err: DELETE https://api.packet.net/user/api-keys/xxxxxxxxxx: 403 Access denied for the current authentication token "

Looking at the user portal, this is the request to delete a project key:

Request URL:https://api.packet.net/api-keys/xxxxxxxxxxxxxxx?token=...
Request Method:DELETE

This plugin should probably have a way to clean up keys made this way, too: I don't really want to use a user key.

[t0mk]

Hey @grahamc, I've just tried to create a project key B (kv get to packet/role/foo) with project key A (from packet/config). It's possible. However, revoking key B with key A will err with {"errors":["Access denied for the current authentication token"]}. I.e. it's not possible to remove project key B with project key A (just as you wrote). I think it's fundamentally an API issue.

This actually can't even be sanitized, because packet/config is not aware if the key is project or user key.

I should definitely mention this in the readme, or in the docstrings in the code. also, we should create an API issue. Do you have other thoughts on how to proceed about this?

[grahamc]

Maybe one method would be to test that the key is a user key: on configuration or at startup time, create a temporary user key and immediately delete it. If it is a user key, this will go fine -- if it is a project key, it will fail to create it in the first place. That said, project keys should be able to delete project keys!

[displague]

Project API keys can now successfully create and destroy project SSH keys.

Does that resolve this issue?