![](/img/trans.png)
[英]Permission denied when trying to create database at a specified file location
[英]VaultSharp: “permission denied” when trying to list secrets
我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,并且我使用 AppRole auth 获得“权限被拒绝”。 这是我到目前为止所拥有的。
呼叫者
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
保险柜服务
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
我已经通过vault kv list secret/
命令验证了密钥确实存在。 Output:
λ vault kv list secret/
Keys
----
creds
我还仔细检查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且正确的一个正在传入):
角色: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
秘密: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
我一直在这里到处乱摸,我什至试着用这个来玩弄``上的参数:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
知道我错过了什么吗?
经过大量的修补,我终于找到了问题:一般来说是权限问题。
原来密钥在策略文件中,原来是这样的:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
对于初学者来说,第二条路径基本上是垃圾。 它在那里是因为当我遵循教程时它被复制了。 不过,更重要的是:第一条路径不允许我列出元数据。
最终我将其更改为以下内容:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
他们现在都拥有read/create/update/list
这一事实并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。 这里的重要部分是需要对secret/*
有list
权限。
一旦我更新了策略,AppRole 身份验证就可以完美运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.