VaultSharp:"permission denied" 尝试列出机密时
VaultSharp: "permission denied" when trying to list secrets
我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,但我使用 AppRole 身份验证时遇到“权限被拒绝”的情况。这是我目前所拥有的。
来电
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
VaultService
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
我已通过 vault kv list secret/ 命令验证密钥 do 存在。输出:
λ vault kv list secret/
Keys
----
creds
我也仔细检查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且正在传递正确的):
角色:http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
秘密:http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
我一直在这里到处寻找,我什至尝试用 `` 上的参数玩这个:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
知道我错过了什么吗?
经过一番折腾,终于找到了问题所在:一般是权限问题。
key原来在policy文件里,原来是这样的:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
对于初学者来说,第二条路基本上是垃圾。它在那里是因为当我学习教程时它被复制了。不过,更重要的是:第一条路径不允许我列出元数据。
最后我改成了下面这样:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
他们现在也有 read/create/update/list 的事实并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。这里的重要部分是 secret/* 需要 list 权限。
更新策略后,AppRole auth 完美运行。
我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,但我使用 AppRole 身份验证时遇到“权限被拒绝”的情况。这是我目前所拥有的。
来电
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
VaultService
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
我已通过 vault kv list secret/ 命令验证密钥 do 存在。输出:
λ vault kv list secret/
Keys
----
creds
我也仔细检查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且正在传递正确的):
角色:http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
秘密:http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
我一直在这里到处寻找,我什至尝试用 `` 上的参数玩这个:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
知道我错过了什么吗?
经过一番折腾,终于找到了问题所在:一般是权限问题。
key原来在policy文件里,原来是这样的:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
对于初学者来说,第二条路基本上是垃圾。它在那里是因为当我学习教程时它被复制了。不过,更重要的是:第一条路径不允许我列出元数据。
最后我改成了下面这样:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
他们现在也有 read/create/update/list 的事实并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。这里的重要部分是 secret/* 需要 list 权限。
更新策略后,AppRole auth 完美运行。