VaultSharp: “permission denied” when trying to list secrets

Question

I keep trying to simply list the secrets in my KeyValue Vault via API and I'm getting "permission denied" using AppRole auth. Here's what I have so far.

Caller

private async Task RetrieveSecrets()
{
    // Fails here, though it's the actual service method that fails (see below)
    List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
    AvailableSecrets.Clear();
    foreach (string secret in secrets)
    {
        AvailableSecrets.Add(secret);
    }
}

VaultService

internal class VaultService : IVaultService
{
    private IVaultClient _client;

    public VaultService(IOptions<ApplicationSettings> applicationSettings)
    {
        CreateClient(applicationSettings.Value);
    }

    public async Task<IEnumerable<string>> GetSecretsList()
    {
        Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
        ListInfo secrets = secret.Data;
        return secrets.Keys;
    }

    private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
    {
        if (_client == null || forceRecreate)
        {
            // Role authorization
            IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
            VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);

            _client = new VaultClient(vaultClientsettings);
        }
    }
}

I've verified that keys do exist via the vault kv list secret/ command. Output:

λ vault kv list secret/  
Keys  
----  
creds

I've also double-checked the policy:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

Finally, I verified the RoleId and SecretId (and that the right one is getting passed in) using Postman and the following http calls:

Role: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
Secret: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id

I've been poking all over the place here, and I even tried playing around with the parameters on `` with this:

_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice

Any idea what I'm missing?

Answer 1

After a lot of tinkering around, I finally found the problem: a permissions issue in general.

The key turned out to be in the policy file, which was originally this:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

For starters, the second path was basically junk. It was there because it got copied when I followed a tutorial. More importantly, though: the first path would not let me list metadata.

Ultimately I changed it to the following:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","read","list"]
}

path "secret/*" {
  capabilities = ["create","update","read","list"]
}

The fact that they both now also have read/create/update/list isn't really the important part here -- I did that to make sure my POC could do everything it needed to. The important part here was that there needed to be list permissions on secret/* .

Once I updated the policy, AppRole auth worked perfectly.