使用 python 保管库读取机密
vault read secrets with python
我正在尝试使用 python 从保险库中读取机密。遇到一些安全问题:
我可以确认身份验证有效
client = hvac.Client(url=vault_url)
client.auth.aws.iam_login(credentials.access_key, credentials.secret_key, credentials.token)
print(client.is_authenticated())
但无法读取密文:
我试过了:
response = client.secrets.kv.v2.read_secret_version( path='kv-v2/lambda-function')
和:
response = client.secrets.kv.v2.read_secret_version( path='lambda-function')
和:
secret = 'kv-v2/lambda-function'
mount_point, secret_path = secret.split('/', 1)
response = client.secrets.kv.v2.read_secret_version(
mount_point=mount_point, path=secret_path)
全部产量
[ERROR] Forbidden: 1 error occurred:
* permission denied
已制定以下政策:
path "kv-v2/lambda-function/*" {
capabilities = ["read"]
}
但我也尝试过:
path "kv-v2/data/lambda-function/*" {
capabilities = ["read"]
}
政策链接到授权:
vault write auth/aws/role/role... \
auth_type=iam \
bound_iam_principal_arn="arn:.."
policies=lambda-function \
ttl=5m
在 Vault 控制台中,我可以像这样读取秘密:
vault kv get kv-v2/lambda-function
我做错了什么?
好的,经过进一步的实验,事实证明正确的策略是:
path "kv-v2/+/lambda-function*" {
capabilities = ["read","list"]
}
正确的 hvac 调用是:
response = client.secrets.kv.v2.list_secrets(
mount_point='kv-v2', path='/')
response = client.secrets.kv.v2.read_secret_version(
mount_point='kv-v2', path='/lambda-function')
现在都是花花公子。
我正在尝试使用 python 从保险库中读取机密。遇到一些安全问题:
我可以确认身份验证有效
client = hvac.Client(url=vault_url)
client.auth.aws.iam_login(credentials.access_key, credentials.secret_key, credentials.token)
print(client.is_authenticated())
但无法读取密文:
我试过了:
response = client.secrets.kv.v2.read_secret_version( path='kv-v2/lambda-function')
和:
response = client.secrets.kv.v2.read_secret_version( path='lambda-function')
和:
secret = 'kv-v2/lambda-function'
mount_point, secret_path = secret.split('/', 1)
response = client.secrets.kv.v2.read_secret_version(
mount_point=mount_point, path=secret_path)
全部产量
[ERROR] Forbidden: 1 error occurred:
* permission denied
已制定以下政策:
path "kv-v2/lambda-function/*" {
capabilities = ["read"]
}
但我也尝试过:
path "kv-v2/data/lambda-function/*" {
capabilities = ["read"]
}
政策链接到授权:
vault write auth/aws/role/role... \
auth_type=iam \
bound_iam_principal_arn="arn:.."
policies=lambda-function \
ttl=5m
在 Vault 控制台中,我可以像这样读取秘密:
vault kv get kv-v2/lambda-function
我做错了什么?
好的,经过进一步的实验,事实证明正确的策略是:
path "kv-v2/+/lambda-function*" {
capabilities = ["read","list"]
}
正确的 hvac 调用是:
response = client.secrets.kv.v2.list_secrets(
mount_point='kv-v2', path='/')
response = client.secrets.kv.v2.read_secret_version(
mount_point='kv-v2', path='/lambda-function')
现在都是花花公子。