search

hashicorp / vault-client-go

HashiCorp Vault Go Client Library generated from OpenAPI spec.
Mozilla Public License 2.0
84 stars 17 forks source link

how can I introspect a vault token using EntityLookUp #184

Closed MushiTheMoshi closed 1 year ago

MushiTheMoshi commented 1 year ago

Describe the feature request or question

How to introspect a token using EntityLookUp as per this guide: https://github.com/hashicorp/vault-client-go/blob/main/docs/IdentityApi.md

A clear and concise description of what the problem is. I want to get details of a token generated by a client session. I have ran vault token lookup VAULT_TOKEN which is giving me the right output

Link to the Vault API Docs that support this feature

https://github.com/hashicorp/vault-client-go/blob/main/docs/IdentityApi.md

The Vault Docs URL

Additional context

        request := schema.NewEntityLookUpRequestWithDefaults()
        resp, err := client.Identity.EntityLookUp(
            ctx,                                  // PASSING CONTEXT FROM SESSION, EVEN NEW CONTEXT IS NOT WORKING
            *request,
            vault.WithRequestCallbacks(func(r *http.Request) {
                log.Printf("%v", *r)  // VERIFIES REQUEST , WHICH LOOKS GOOD
            }),
        )
        if err != nil {
            log.Fatalf("%#v", err)
        }
        fmt.Printf("%#v", resp)

Adding ERROR LOG. 2023/06/16 08:20:19 {POST https://COMPANY/v1/identity/lookup/entity HTTP/1.1 1 1 map[User-Agent:[vault-client-go/0.3.3 (Linux x86_64; Go go1.20)] X-Vault-Token:[VAULT_TOKEN]] {{}

Hope you can help me!

Regards, Julio

averche commented 1 year ago

Hi @MushiTheMoshi,

The identity lookup API requires you to specify a criteria for the lookup:

The criteria can be name, id, alias_id, or a combination of alias_name and alias_mount_accessor.

For example, the following should work with a valid ID:

    resp, err := client.Identity.EntityLookUp(
        ctx,
        schema.EntityLookUpRequest{
            Id: "<your-identity-id-here>",
        },
    )
    if err != nil {
        log.Fatalf("%#v", err)
    }
    fmt.Printf("%#v", resp)

However, if you just want to introspect the vault token you are using, a better API might be TokenLookupSelf:

    t, err := client.Auth.TokenLookUpSelf(ctx)
    if err != nil {
        log.Fatalln("ERROR:", err)
    }
    log.Println("TOKEN:", t.Data)
MushiTheMoshi commented 1 year ago

Thank you, that's exactly what I needed.

tonglil commented 1 year ago

Is there a way to do client.Token() to see if the client has a token set, like the vault api?