Importing NSC generated ops and users and accounts

[aKardasz]

Hello,

What would the order of imports be if I wanted to import all the data created previously by the nsc tool?

I am having a bit of trouble adding everything in to be able to keep generating accounts and users, while updating the nats servers with this new setup.

[batthebee]

Hi,

Normally, the order should not matter. What exactly is not working? Do you get meaningful logs?

[aKardasz]

So I originally imported as follows:

Operator Nkey,
Operator Signing Key

sys account nkey
sys account signing key

etc, but this didn't show up as an ops, acc, or user. So then using those keys I created ops, and acc, user using issue, however none of them linked, they created successfully though, however I think this may have been due to how I was running each command and what I was passing in as I think when I tried it again it worked, now I am only concerned about the nats servers being setup possibly with a different jwt made via nsc, so afraid to attach vault to it just yet as I don't want to risk blowing up my test environment credentials wise just yet.

What we are trying to do is bootstrap the initial set of credentials and then pass all this bootstrapped info to the vault instance that will actually be generating the credentials. (It would have to be done this way due to how the environment is setup currently)

So just trying to get the initial ops, sys and sys user made, export these and import into the new vault instance and continue on from there. Also want to thank you guys for all the hard work put into this plugin.

[aKardasz]

Update: So I was able to get a set of credentials created using the signing keys etc ( account and user ), and when I manually added them to nsc, they worked, however for some reason the plugin keeps giving me unauthorized when trying to sync. On the nats side it is saying that the jwt does not exist, however I copied them directly from the config file and imported them manually into vault. Is there any info I can provide to possibly see if I can get passed this sync issue. ( the operators, sys account, and sys user where created previously using nsc, and then imported into the plugin.

Could this be because I generated the default-push user and replaced its jwt with the one I provided for the Nats resolver preload account? The generated credentials themselves work if I manually add them to nsc and do a nsc push -A, the config for the operator and the jwt is slightly different primarily because the IP used is different because of the IP between the nsc location and vault is different, but both ips lead to the same server. However I also replaced the operator and account jwts with the ones from nsc.

[aKardasz]

I was able to get vault to spit out: "cannot sync account server: system account user nkey does not exist"

However, the nkey is there, and was manually imported

[batthebee]

Thanks for the infos, we will check that!

[aKardasz]

Yeah I figured it out, you pretty much have to generate the various pieces in a certain order for it to all pick up nicely. Might be worth looking into a feature for importing from nsc or a small script to do so. (I will probably get around to something like this, just have to finish a few other items on my list of todo's). On another note, is there anyway to force sync vault to the nats server, more so if I want it to sync right after a user/credential is made so that there is no 2 minute delay between creation and being able to utilize.

[batthebee]

@aKardasz The problem was that, depending on the import sequence, the required nkeys did not yet exist. As a result, the corresponding issue was not created. I changed it so that the keys and issues are created in any case and then updated.

I released version v1.4.0. The import order should not matter now.

The explicit update of the account server and a small import script will be done in another step.

[aKardasz]

@batthebee wow wasn't expecting such a quick turn around. Thank you!

I think I may have found another bug.

When the plugin is running and in sync mode and some one creates a set of credentials and pushes them with nsc cli the nats vault plugin seems to not be able to connect to the server.

{"level":"error","time":1701991369,"message":"resolver: failed to get response to create: nats: timeout"}

{"level":"error","operator":"<OPERATOR_NAME>","account":"<ACCOUNT_NAME>","error":"no response from server","time":1701991369,"message":"cannot sync account server (add)"}

This only occurs after someone pushes up credentials with nsc cli. A restart of vault seems to fix the issue.

[ruspaul013]

Hello @aKardasz , @batthebee

Can you help me with a tutorial on how to import nsc generated system operator, account and user? I tried different ways, but with no success.

Steps that I tried:

• create the op,acc and users

nsc add operator --generate-signing-key --sys --name local
nsc edit operator --require-signing-keys --account-jwt-server-url nats://<server>
nsc add account --name myaccount
nsc push -a myaccount -u nats://<server>

• take seed, jwt for each one
• create in vault sys op,acc and users using the files from examples
• overwrite nkeys and jwt

vault write nats-secrets/nkey/operator/local seed=""
vault write nats-secrets/nkey/operator/local/signing/opsk1 seed="" signing="opsk1"
vault write nats-secrets/nkey/operator/local/account/sys seed=""
vault write nats-secrets/nkey/operator/local/account/sys/signing/sask1 seed="" signing="sask1 "
vault write nats-secrets/nkey/operator/local/account/sys/user/default-push seed="" 
vault write nats-secrets/nkey/operator/local/account/myaccount seed=""

vault write nats-secrets/jwt/operator/local jwt=""
vault write nats-secrets/jwt/operator/local/account/sys jwt=""
vault write nats-secrets/jwt/operator/local/account/sys/user/default-push jwt=""
vault write nats-secrets/jwt/operator/local/account/myaccount jwt=""

Do I need to do something else or the way that I am doing it is wrong?