VaultSharp:"permission denied" 尝试列出机密时

VaultSharp: "permission denied" when trying to list secrets

我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,但我使用 AppRole 身份验证时遇到“权限被拒绝”的情况。这是我目前所拥有的。

来电

private async Task RetrieveSecrets()
{
    // Fails here, though it's the actual service method that fails (see below)
    List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
    AvailableSecrets.Clear();
    foreach (string secret in secrets)
    {
        AvailableSecrets.Add(secret);
    }
}

VaultService

internal class VaultService : IVaultService
{
    private IVaultClient _client;

    public VaultService(IOptions<ApplicationSettings> applicationSettings)
    {
        CreateClient(applicationSettings.Value);
    }

    public async Task<IEnumerable<string>> GetSecretsList()
    {
        Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
        ListInfo secrets = secret.Data;
        return secrets.Keys;
    }

    private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
    {
        if (_client == null || forceRecreate)
        {
            // Role authorization
            IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
            VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);

            _client = new VaultClient(vaultClientsettings);
        }
    }
}

我已通过 vault kv list secret/ 命令验证密钥 do 存在。输出:

λ vault kv list secret/  
Keys  
----  
creds

我也仔细检查了政策:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且正在传递正确的):

角色:http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
秘密:http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id

我一直在这里到处寻找,我什至尝试用 `` 上的参数玩这个:

_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice

知道我错过了什么吗?

经过一番折腾,终于找到了问题所在:一般是权限问题。

key原来在policy文件里,原来是这样的:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

对于初学者来说,第二条路基本上是垃圾。它在那里是因为当我学习教程时它被复制了。不过,更重要的是:第一条路径不允许我列出元数据。

最后我改成了下面这样:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","read","list"]
}

path "secret/*" {
  capabilities = ["create","update","read","list"]
}

他们现在也有 read/create/update/list 的事实并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。这里的重要部分是 secret/* 需要 list 权限。

更新策略后,AppRole auth 完美运行。