Hashicorp Vaultsharp 权限被拒绝错误
Hashicorp Vaultsharp permission denied error
错误
System.Exception: Vault configuration failed: One or more errors occurred. ({"errors":["1 error occurred:\n\t* permission denied\n\n"]}
)
at VaultConnection.VaultExtensions.AddVaultKeys.GetValutKeyValuePairs(IConfiguration buildConfig) in C:\Users013\Source\Repos\sample\Vault1\VaultConnection\VaultExtensions\AddVaultKeys.cs:line 67
at VaultConnection.Startup.ConfigureServices(IServiceCollection services) in
总结
Using AppRoleAuthMethodInfo method to read key-values from Hashicorp
Vault results me - permission denied error. A small snippet of code
mentioned below to describe the problem.
这是代码片段:
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);
var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);
IVaultClient vaultClient = new VaultClient(VaultClientSettings);
// Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync(buildConfig["vault:path"])
.Result.Data;
---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........
DisplayJson(callingTokenInfo) 输出
Output of this token is -
{"request_id":"e5e71c03-6972-12ff-9e30-d42c8e2f188a","lease_id":"","renewable":false,"lease_duration":0,"data":{"accessor":"FuLTEKwYmJ2IGZyDwvCmJ1Vm","explicit_max_ttl":0,"renewable":true,"creation_time":1591617019,"creation_ttl":2764800,"orphan":true,"ttl":2764799,"type":"service","id":"s.6GJMAbWxQU82cm1K7ajcSgv5","policies":["default","sqlconnection"],"meta":{"role_name":"sqlconnectionrole"},"path":"auth/approle/login","display_name":"approle","num_uses":0,"entity_id":"811d33fe-e9e5-ac4e-3fbf-9809c0a85b3d","expire_time":"2020-07-10T17:20:19.2386078+05:30","identity_policies":null,"issue_time":"2020-06-08T17:20:19.2386078+05:30"},"wrap_info":null,"warnings":null,"auth":null}
除此之外,还有创建策略和关联角色的步骤
1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection
path "devkv/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "devkv/appId*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
5. vault auth enable approle
6. vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id
If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"
步骤-9
执行命令的输出
Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.
> PS C:\WINDOWS\system32> vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-3cde-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29bef0"
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 768h
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
> PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I
> WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
> over the value set by this command. To use the value set by this command,
> unset the VAULT_TOKEN environment variable or set it to the token displayed
> below.
>
> Success! You are now authenticated. The token information displayed below
> is already stored in the token helper. You do NOT need to run "vault login"
> again. Future Vault requests will automatically use this token.
>
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 767h59m35s
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
>
> PS C:\WINDOWS\system32> vault kv get devkv/connection
> ===== Data =====
> Key Value
> source DATA
> timeout 120
>
您的安装点与密钥路径混淆了。将它们分开如下:
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync("connection", "devkv").Result.Data;
错误
System.Exception: Vault configuration failed: One or more errors occurred. ({"errors":["1 error occurred:\n\t* permission denied\n\n"]} ) at VaultConnection.VaultExtensions.AddVaultKeys.GetValutKeyValuePairs(IConfiguration buildConfig) in C:\Users013\Source\Repos\sample\Vault1\VaultConnection\VaultExtensions\AddVaultKeys.cs:line 67 at VaultConnection.Startup.ConfigureServices(IServiceCollection services) in
总结
Using AppRoleAuthMethodInfo method to read key-values from Hashicorp Vault results me - permission denied error. A small snippet of code mentioned below to describe the problem.
这是代码片段:
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);
var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);
IVaultClient vaultClient = new VaultClient(VaultClientSettings);
// Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync(buildConfig["vault:path"])
.Result.Data;
---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........
DisplayJson(callingTokenInfo) 输出
Output of this token is - {"request_id":"e5e71c03-6972-12ff-9e30-d42c8e2f188a","lease_id":"","renewable":false,"lease_duration":0,"data":{"accessor":"FuLTEKwYmJ2IGZyDwvCmJ1Vm","explicit_max_ttl":0,"renewable":true,"creation_time":1591617019,"creation_ttl":2764800,"orphan":true,"ttl":2764799,"type":"service","id":"s.6GJMAbWxQU82cm1K7ajcSgv5","policies":["default","sqlconnection"],"meta":{"role_name":"sqlconnectionrole"},"path":"auth/approle/login","display_name":"approle","num_uses":0,"entity_id":"811d33fe-e9e5-ac4e-3fbf-9809c0a85b3d","expire_time":"2020-07-10T17:20:19.2386078+05:30","identity_policies":null,"issue_time":"2020-06-08T17:20:19.2386078+05:30"},"wrap_info":null,"warnings":null,"auth":null}
除此之外,还有创建策略和关联角色的步骤
1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection
path "devkv/*" { capabilities = ["create", "read", "update", "delete", "list"] }
path "devkv/appId*" { capabilities = ["create", "read", "update", "delete", "list"] }
5. vault auth enable approle
6. vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id
If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"
步骤-9
执行命令的输出Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.
> PS C:\WINDOWS\system32> vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-3cde-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29bef0"
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 768h
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
> PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I
> WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
> over the value set by this command. To use the value set by this command,
> unset the VAULT_TOKEN environment variable or set it to the token displayed
> below.
>
> Success! You are now authenticated. The token information displayed below
> is already stored in the token helper. You do NOT need to run "vault login"
> again. Future Vault requests will automatically use this token.
>
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 767h59m35s
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
>
> PS C:\WINDOWS\system32> vault kv get devkv/connection
> ===== Data =====
> Key Value
> source DATA
> timeout 120
>
您的安装点与密钥路径混淆了。将它们分开如下:
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync("connection", "devkv").Result.Data;