[英]VaultSharp: “permission denied” when trying to list secrets
I keep trying to simply list the secrets in my KeyValue Vault via API and I'm getting "permission denied" using AppRole auth.我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,并且我使用 AppRole auth 获得“权限被拒绝”。 Here's what I have so far.
这是我到目前为止所拥有的。
Caller呼叫者
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
VaultService保险柜服务
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
I've verified that keys do exist via the vault kv list secret/
command.我已经通过
vault kv list secret/
命令验证了密钥确实存在。 Output: Output:
λ vault kv list secret/
Keys
----
creds
I've also double-checked the policy:我还仔细检查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
Finally, I verified the RoleId and SecretId (and that the right one is getting passed in) using Postman and the following http calls:最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且正确的一个正在传入):
Role: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id角色: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
Secret: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id秘密: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
I've been poking all over the place here, and I even tried playing around with the parameters on `` with this:我一直在这里到处乱摸,我什至试着用这个来玩弄``上的参数:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
Any idea what I'm missing?知道我错过了什么吗?
After a lot of tinkering around, I finally found the problem: a permissions issue in general.经过大量的修补,我终于找到了问题:一般来说是权限问题。
The key turned out to be in the policy file, which was originally this:原来密钥在策略文件中,原来是这样的:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
For starters, the second path was basically junk.对于初学者来说,第二条路径基本上是垃圾。 It was there because it got copied when I followed a tutorial.
它在那里是因为当我遵循教程时它被复制了。 More importantly, though: the first path would not let me list metadata.
不过,更重要的是:第一条路径不允许我列出元数据。
Ultimately I changed it to the following:最终我将其更改为以下内容:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
The fact that they both now also have read/create/update/list
isn't really the important part here -- I did that to make sure my POC could do everything it needed to.他们现在都拥有
read/create/update/list
这一事实并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。 The important part here was that there needed to be list
permissions on secret/*
.这里的重要部分是需要对
secret/*
有list
权限。
Once I updated the policy, AppRole auth worked perfectly.一旦我更新了策略,AppRole 身份验证就可以完美运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.