Closed MMollyy closed 1 year ago
So, I went and looked a bit through the code in hopes to find something. I'm not a knower on GO, but this next code block looks like it would be the one taking care of which endpoint to use for the API:
// Reference: https://docs.microsoft.com/en-us/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints
func GetGraphURI(env string) (string, error) {
switch env {
case "AzurePublicCloud", "":
return "https://graph.microsoft.com", nil
case "AzureUSGovernmentCloud":
return "https://graph.microsoft.us", nil
case "AzureGermanCloud":
return "https://graph.microsoft.de", nil
case "AzureChinaCloud":
return "https://microsoftgraph.chinacloudapi.cn", nil
default:
return "", fmt.Errorf("environment '%s' unknown", env)
}
}
The v1.0 endpoint is not being used, is that intentional?
EDIT: So I tested the above two commands for GET and POST with the URL in the current code, from POSTMAN, and it results for me in:
{
"error": {
"code": "BadRequest",
"message": "Invalid version.",
"innerError": {
"date": "2023-01-27T10:15:07",
"request-id": "37a92048-3692-4acf-ad12-480d58e5a354",
"client-request-id": "37a92048-3692-4acf-ad12-480d58e5a354"
}
}
}
Which is not the same outcome as insufficient permissions 😞
I'm having the same issue. It is unclear to me what application permissions are required for the vault application to create a role. I never want to create dynamic principals, only refresh the secrets, so I only approved Application.ReadWrite.OwnedBy
permission
Edit: I fixed it by assiging the "application X" as owner of itself. Seems like the provided needs to fetch some data about the "secret engine" application before being able to create a role.
It seems in my case the self managed Vault instances had some kind of environment variables configured which were being picked up instead of the config. If im not mistaken it also had something to do with a managed identity being used as it was running on Azure.
In any case, the API permissions assigned to the application used in the config of the engine needs 1 of 2 permissions: 1 Application: Application.ReadWrite.All or 2 Application: Application.ReadWrite.OwnedBy
In the first case, it is not least privilege, and if you want to let the engine create secrets on itself via a role you still need to make it an owner on itself. In the second case it is least privilege and you are required to make it an owner on itself, as well as on any other application you'd like it to manage. In the event you are creating application using the engine, there is nothing to worry about as ownership is inherently taken care of.
Hi there,
I am using an application X, which has permissions on application Y. This application X is configured on the Azure Secrets Engine in the configuration.
I am trying to add application Y (a pre-created application with SPN) to have its secrets managed by the secrets engine, using application X.
However, when doing the command:
I receive the following error:
As if my application X is not allowed to do a GET command on the application Y, or even do a addPassword API POST command. However, I can verify from postman that it works when i do the following commands:
and:
Both work just fine, so I am 100% certain permissions on application_X are not the issue.
The config I used for application_X:
I believe being able to use the
use_microsoft_Graph=true
option in the config means I am using the latest version of the Azure Secrets Engine, but I haven't found anywhere on how to verify on the version. Does anyone have an idea why I am getting the insufficient permissions error through the engine, while it works in POSTMAN?EDIT: So our Vault island uses 1.10.7 version, which means we use 0.12 version for the secrets-engine..