![](/img/trans.png)
[英]Permission denied when trying to create database at a specified file location
[英]VaultSharp: “permission denied” when trying to list secrets
我一直試圖通過 API 簡單地列出我的 KeyValue Vault 中的秘密,並且我使用 AppRole auth 獲得“權限被拒絕”。 這是我到目前為止所擁有的。
呼叫者
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
保險櫃服務
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
我已經通過vault kv list secret/
命令驗證了密鑰確實存在。 Output:
λ vault kv list secret/
Keys
----
creds
我還仔細檢查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
最后,我使用 Postman 和以下 http 調用驗證了 RoleId 和 SecretId(並且正確的一個正在傳入):
角色: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
秘密: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
我一直在這里到處亂摸,我什至試着用這個來玩弄``上的參數:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
知道我錯過了什么嗎?
經過大量的修補,我終於找到了問題:一般來說是權限問題。
原來密鑰在策略文件中,原來是這樣的:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
對於初學者來說,第二條路徑基本上是垃圾。 它在那里是因為當我遵循教程時它被復制了。 不過,更重要的是:第一條路徑不允許我列出元數據。
最終我將其更改為以下內容:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
他們現在都擁有read/create/update/list
這一事實並不是這里真正重要的部分——我這樣做是為了確保我的 POC 可以做它需要做的一切。 這里的重要部分是需要對secret/*
有list
權限。
一旦我更新了策略,AppRole 身份驗證就可以完美運行。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.