Test-SecretVault: Unable to run Test-SecretVault

[AlexeiKlimenko]

Hello.

How to troubleshoot Test-SecretVault issue? We're using server-side Vault HashiCorp and client-side as your module.

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'xxx/yyy' -VaultParameters @{ VaultServer = 'https://server:8200'; VaultAuthType = 'LDAP'}

What kind of Name should be specified as name of vault? We're trying - /personal/user, space/unit/secrets/*/ and others types but nothing working

[joshcorr]

Hi @AlexeiKlimenko! The Vault name should be the same as the Engine/mount you are using. If your secret existed under personal/user/me then you should register the vault with the following:

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name personal -VaultParameters @{ VaultServer = 'https://server:8200'; VaultAuthType = 'LDAP'}
Get-Secret -Name user/me -Vault personal 

The default version is KV version 2. If you are using a version 1 vault then you should add KVVersion = 'v1' to your -VaultParameters

[AlexeiKlimenko]

Thank you, as server we're using Vault 1.5.5. To be frank, we were trying various collection of NAME and Vault, but nothing working. We are not able to determine the root cause, because there are not any tools for troubleshooting (only test-secretvault).

[joshcorr]

Are you prompted for credentials when you run Test-SecretVault? If you use -Verbosewith Test-SecretVault do you have any output? After running Test-SecretVault what is the value of $error[0]?

the -Name parameter should only take in the first part of the path on Register-SecretVault and should not have a path like engine/path/secret. -Vault is the name of the vault you registered. You can list your vaults with Get-SecretVault.

I can test with that Vault server version, but I think there might be something going on with your permissions, or how you are trying to register the vault. Please let me know if you have any error or verbose messages.

[AlexeiKlimenko]

Yes.,we'have tested with 'userpass'/'token' and default (in our case) 'LDAP' With -verbose key we just received:

Test-SecretVault: Unable to run Test-SecretVault on vault personal VERBOSE: Vault personal failed validation test False

Permission is valid. Therefore we were trying to use vault application from https://www.vaultproject.io/downloads, then configured $env:VAULT_ADDR="https://%our_vault_server%:8200" and used vault login with token. It executed correctly and we were able to receive secret with ".\vault.exe read personal/user/secret"

[joshcorr]

I should have asked this earlier. What version of Secret Management module are you using? What version of the Vault Extension are you using with that? The Test-SecretVault will prompt you for auth if you do not have a token. If you are not getting prompted for username/password then there might be something wrong in that step..

Will work on testing myself, but may take a day or two as I do not have LDAP setup currently in my lab.

[AlexeiKlimenko]

"What version of Secret Management module are you using" We're trying both - v2 and v1, but result was the same.

"Test-SecretVault" It prompts token pass (if we've specified VaultAuthType = 'token') or user/pass (in cases of userpass/LDAP) - it's ok.

"may take a day or two" OK, thanks a lot, we'll be waiting for.

[joshcorr]

I was able to get it working on 1.5.5 using userpass with the following with a restricted account. (Having unrelated issues with my LDAP test setup).

I am using Microsoft.PowerShell.SecretManagement version 1.1.1 and SecretManagement.Hashicorp.Vault.KV 2.0.0 in that test. The "personal" vault is a v2 KV vault.

[AlexeiKlimenko]

We're also using Microsoft.PowerShell.SecretManagement 1.1.1 and SecretManagement.Hashicorp.Vault.KV 2.0.0 But Get-Secret and Test-SecretVault were failed with userpass/LDAP. The main difference, that we're using https instead of http as VaultServer. Could it be as an issue and how to troubleshoot it? All PKI chain (containing 3 certificates) was added to Trusted CA.

New info: We'have installed "Install-Module -Name SecretManagement.Hashicorp.Vault.KV -RequiredVersion 1.1.0"

In this case we're getting True with Test-SecretVault(created with userpass/LDAP): "PS C:\Users\aiklimenko> Test-SecretVault personal WARNING: https://VAULT_SERVER:8200/v1/sys/mounts; Forbidden, your authentication details are either incorrect, you don't have access to this feature, or - if CORS is enabled - you made a cross-origin request from an origin that is not allowed to make such requests"

But with Get-Secret we're not prompted to login user/password: PS C:\Users\aiklimenko> Get-Secret -Name aiklimenko -Vault personal Get-Secret: Unable to get secret aiklimenko from vault personal Get-Secret: The secret aiklimenko was not found.

[joshcorr]

Got a bit closer to recreating the error. Have my full test setup back up and am able to test LDAP with an Https instance of Vault.

After a failed Test-SecretVault or Get-Secret could you run the following in your shell $error[0] | fl -force? This will display all of the error message. Please let me know if you see {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

[AlexeiKlimenko]

Good day. Got back to "SecretManagement.Hashicorp.Vault.KV" version 2.0

Try to register vaults with different types of auth: Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'userpass' -VaultParameters @{ VaultServer = 'https://XXX:8200'; VaultAuthType = 'userpass'} Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'ldap' -VaultParameters @{ VaultServer = 'https://XXX:8200'; VaultAuthType = 'ldap'} Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'token' -VaultParameters @{ VaultServer = 'https://XXX:8200'; VaultAuthType = 'token'}

telnet XXX 8200 was successful

Attempts to Test-SecretVault: PS C:\Users\me> Test-SecretVault userpass -Verbose

PowerShell credential request Please Enter UserName and Password credentials User: me Password for user me: ***

Test-SecretVault: Unable to run Test-SecretVault on vault userpass VERBOSE: Vault userpass failed validation test False

PS C:\Users\me> $error[0] | fl -force

Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault userpass ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["invalid username or password"]}

                     ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["invalid username or password"]}

                       --- End of inner exception stack trace ---
                       at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
                       at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
                       at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
                       at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output,
                    PSInvocationSettings settings)
                       at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings
                    settings)
                       at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
                       at System.Management.Automation.PowerShell.Invoke()
                       at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Exception&
                    terminatingError) in D:\a\_work\1\s\src\code\Utils.cs:line 1554
                       --- End of inner exception stack trace ---

TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at , : line 1 PipelineIterationInfo : {0, 1} PSMessageDetails :

Test-SecretVault ldap -Verbose PS C:\Users\me> $error[0] | fl -force

Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault ldap ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

                     ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

                       --- End of inner exception stack trace ---
                       at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
                       at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
                       at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
                       at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output,
                    PSInvocationSettings settings)
                       at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings
                    settings)
                       at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
                       at System.Management.Automation.PowerShell.Invoke()
                       at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Exception&
                    terminatingError) in D:\a\_work\1\s\src\code\Utils.cs:line 1554
                       --- End of inner exception stack trace ---

TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at , : line 1 PipelineIterationInfo : {0, 1} PSMessageDetails :

Test-SecretVault token -Verbose We got the same issue with "permission denied"

[AlexeiKlimenko]

Addition about Get-Secret

PS C:\Users\me> Get-Secret -Name personal/me/TestPassword -Vault ldap

PowerShell credential request Please Enter LDAP credentials User: me Password for user me: ***

Get-Secret: Unable to get secret personal/me/TestPassword from vault ldap Get-Secret: The secret personal/me/TestPassword was not found.

Exception : System.Management.Automation.ItemNotFoundException: The secret personal/me/TestPassword was not found.

If we'are using vault application from official site (look at previous messages):

PS C:\Users\me\Downloads\vault_1.9.0_windows_amd64> .\vault.exe read personal/me/TestPassword Key Value

---

refresh_interval 768h Password YYYY

[joshcorr]

I've been trying to test this, but I am getting successful results recently and haven't been able to get it to fail (unless I use an incorrect password or path).

I noticed from your example above that syntax might be wrong.. You cannot pass the full path to the -Name parameter. Is your full test path in the Vault UI ldap/personal/me/TestPassword or personal/me/TestPassword? If it is the last one then the syntax you used is incorrect.. Get-Secret -Name personal/me/TestPassword -Vault ldap Correct syntax would be: Get-Secret -VaultName personal -Name me/TestPassword

The vault name you register must be the same as the first part of the path..

The correct register command for personal/me/TestPassword would be:

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'personal' -VaultParameters @{ VaultServer = 'https://XXX:8200'; VaultAuthType = 'ldap'}

[ryancbutler]

Was running into a similar issue with userpass authentication. After monitoring the audit logs I found it was based on my policy.

Steps I used to work.

Created the KV path with vault secrets enable -path=hcvault kv

admin.hcl

#Path for kv
path "hcvault/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "auth/token/lookup" {
  capabilities = ["update"]
}

path "sys/mounts" {
  capabilities = ["read"]
}

Created the policy: vault policy write admins admin.hcl

Created the user

vault write auth/userpass/users/mitchellh \
    password=foo \
    policies=admins

Then registered the vault:

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name hcvault -VaultParameters @{ VaultServer = 'http://myvault.lab.local:8200'; VaultAuthType = 'userpass'}

Test should now PASS Test-SecretVault -Name "hcvault"

[AlexeiKlimenko]

We're still facing with this issue. Tested on WS2019/Win10/Win11. It seems to me that root cause couldn't be as policy or permission, because via official client vault (see posts above) we get secrets without any issues.

[MrZeeEs]

Hi, I've got the same problem. I am using: SecretManagement.Hashicorp.Vault.KV/2.0.0 Microsoft.PowerShell.SecretStore/1.0.5 Vault 1.9.2. PowerShell7

I have started Vault in DEV mode:

vault server -dev

I have created test kv pair: vault kv put secret/nonProd TEST_APP_Login=myLogin

Then I have validated Vault name:

and registered it in SecretManagement.Hashicorp.Vault.KV:

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name secret -VaultParameters @{ VaultServer = 'http://127.0.0.1:8200'; VaultAuthType = 'Token'}

When I try to retrieve this using

Get-Secret -Name nonProd/TEST_APP_Login -Vault secret

, I am asked first for Token and after providing correct Token, I get error "Get-Secret: Unable to get secret nonProd/TEST_APP_Login from vault secret Get-Secret: The secret nonProd/TEST_APP_Login was not found.":

If I try

Test-SecretVault secret

, after providing correct Token I get error "Test-SecretVault: Unable to run Test-SecretVault on vault secret":

Could you please help to fix it?

Regards,

Zdenek

[ryancbutler]

Can you enable audit logging https://www.vaultproject.io/docs/audit, try the test again and review the log? I was able to uncover the issue with my policy/access this way.

[MrZeeEs]

Can you enable audit logging https://www.vaultproject.io/docs/audit, try the test again and review the log? I was able to uncover the issue with my policy/access this way.

Thank you. I've enabled logging.

Following I got for log_Test-SecretVault:

{"time":"2022-01-12T17:51:13.5090177Z","type":"request","auth":{"client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service","token_issue_time":"2022-01-12T18:32:04+01:00"},"request":{"id":"7d6b9c8b-f754-b024-b0ad-d9d91d70c364","operation":"update","mount_type":"token","client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","client_token_accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","namespace":{"id":"root"},"path":"auth/token/lookup","data":{"token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6"},"remote_address":"127.0.0.1"}} {"time":"2022-01-12T17:51:13.5095455Z","type":"response","auth":{"client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service","token_issue_time":"2022-01-12T18:32:04+01:00"},"request":{"id":"7d6b9c8b-f754-b024-b0ad-d9d91d70c364","operation":"update","mount_type":"token","client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","client_token_accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","namespace":{"id":"root"},"path":"auth/token/lookup","data":{"token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6"},"remote_address":"127.0.0.1"},"response":{"mount_type":"token","data":{"accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","creation_time":1642008724,"creation_ttl":0,"display_name":"hmac-sha256:17303a631de2a5ac9dbe025c5f75c30b081e87a44a4c304686aef4a910246159","entity_id":"hmac-sha256:f4b1e957191b0b4b60bea90c517eff6566e6fc8926db5e7b09c8c292cafb4e69","expire_time":null,"explicit_max_ttl":0,"id":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","meta":null,"num_uses":0,"orphan":true,"path":"hmac-sha256:68b2553ad57c8376ee872819bbb3a44e5d995efabed61ce0ad381c94f00128b6","policies":["hmac-sha256:17303a631de2a5ac9dbe025c5f75c30b081e87a44a4c304686aef4a910246159"],"ttl":0,"type":"hmac-sha256:ed03293d31b1f6e3232f3cee1515cce4c26242fafcab337e04422f972b98c595"}}}

Following I got for log_Get-Secret:

{"time":"2022-01-12T17:47:00.3213185Z","type":"request","auth":{"client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service","token_issue_time":"2022-01-12T18:32:04+01:00"},"request":{"id":"fee180df-9ceb-a3d9-9164-93677f041233","operation":"update","mount_type":"token","client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","client_token_accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","namespace":{"id":"root"},"path":"auth/token/lookup","data":{"token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6"},"remote_address":"127.0.0.1"}} {"time":"2022-01-12T17:47:00.3218477Z","type":"response","auth":{"client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service","token_issue_time":"2022-01-12T18:32:04+01:00"},"request":{"id":"fee180df-9ceb-a3d9-9164-93677f041233","operation":"update","mount_type":"token","client_token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","client_token_accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","namespace":{"id":"root"},"path":"auth/token/lookup","data":{"token":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6"},"remote_address":"127.0.0.1"},"response":{"mount_type":"token","data":{"accessor":"hmac-sha256:0514dddabd631446b46b6a6497e34f8ef00b635e96108fa8af3279980363a952","creation_time":1642008724,"creation_ttl":0,"display_name":"hmac-sha256:17303a631de2a5ac9dbe025c5f75c30b081e87a44a4c304686aef4a910246159","entity_id":"hmac-sha256:f4b1e957191b0b4b60bea90c517eff6566e6fc8926db5e7b09c8c292cafb4e69","expire_time":null,"explicit_max_ttl":0,"id":"hmac-sha256:67315c468c03f111d72aee189a202d37c59da0c909413aca5d24e017632ab0a6","meta":null,"num_uses":0,"orphan":true,"path":"hmac-sha256:68b2553ad57c8376ee872819bbb3a44e5d995efabed61ce0ad381c94f00128b6","policies":["hmac-sha256:17303a631de2a5ac9dbe025c5f75c30b081e87a44a4c304686aef4a910246159"],"ttl":0,"type":"hmac-sha256:ed03293d31b1f6e3232f3cee1515cce4c26242fafcab337e04422f972b98c595"}}}

Unfortunatelly, I cannot find there anything helpful. Could you, please?

[joshcorr]

I am noticing that several instances of this module is loaded into the same powershell session.. I am not sure if the module supports multiple instances in one powershell session.

If you want to see if you can nail down the error without the abstraction layer of using SecretManagement you can do the following:

mkdir C:\temp
cd C:\temp
git clone https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV.git
cd SecretManagement.Hashicorp.Vault.KV
Import-Module .\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psd1
# Create a variable with whatever you would have passed to Register-SecretVault 
$additionalparameters = @{ VaultServer = 'https://XXX:8200'; VaultAuthType = 'ldap'}
# Execute the commands interactively.
 Test-SecretVault -VaultName <mountName> -AdditionalParameters $additionalparameters -Verbose 
 Get-Secret -VaultName <mountName> -Name <path/to/secret/without/mount> -AdditionalParameters $additionalparameters -Verbose

This will allow a little more direct debugging for your environment. It is difficult to debug the module when using Secret Management because it loads the module into a runspace that is not easily debugged. If you run into any Errors you can do the following to get the entire trace. $error[0] | fl -force

[AlexeiKlimenko]

Receive the same error in my case:

Get-Secret -VaultName personal -Name me/test -AdditionalParameters $additionalparameters -Verbose VERBOSE: Grabbing token for personal VERBOSE: Token Expired at 01/01/1600 00:00:00. Retieving a new token

PowerShell credential request Please Enter LDAP credentials User: me Password for user me: ***

VERBOSE: POST with 30-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: Content encoding: utf-8 VERBOSE: POST with 45-byte payload VERBOSE: received 60-byte response of content type application/json Exception: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

Exception : System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

TargetObject : Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

CategoryInfo : OperationStopped: (Received an error: …sion denied\n\n"]} :String) [], RuntimeException FullyQualifiedErrorId : Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at Invoke-VaultToken, C:\Temp\posh\SecretManagement.Hashicorp.Vault.KV-main\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV .Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 273 at Test-SecretVault, C:\Temp\posh\SecretManagement.Hashicorp.Vault.KV-main\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp. Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 673 at Get-Secret, C:\Temp\posh\SecretManagement.Hashicorp.Vault.KV-main\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault. KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 480 at , : line 1 PipelineIterationInfo : {} PSMessageDetails :

[MrZeeEs]

Hi,

thank you. More detailed logging has revealed that there is a problem with System.DateTime conversion and Token's expiration datetime.

The whole debug report:

---

PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> Test-SecretVault -VaultName secret -AdditionalParameters $additionalparameters -Verbose VERBOSE: Grabbing token for secret VERBOSE: Token Expired at 01/01/1600 00:00:00. Retieving a new token

PowerShell credential request Please Enter the token Password for user Token: **

VERBOSE: POST with 45-byte payload VERBOSE: received 461-byte response of content type application/json VERBOSE: Content encoding: utf-8 Exception: Cannot convert null to type "System.DateTime".

PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> $error[0] | fl -force

Exception : System.Management.Automation.ArgumentTransformationMetadataException: Cannot convert null to type "System.DateTime". ---> System.Management.Automation.PSInvalidCastException: Cannot convert null to type "System.DateTime". at System.Management.Automation.LanguagePrimitives.ThrowInvalidCastException(Object valueToConvert, Type resultType) at System.Management.Automation.LanguagePrimitives.ConvertNoConversion(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backup Table) at System.Management.Automation.LanguagePrimitives.ConversionData1.Invoke(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable ba ckupTable) at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable) at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) --- End of inner exception stack trace --- at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame) TargetObject : CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException FullyQualifiedErrorId : RuntimeException ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at Invoke-VaultToken, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 270 at Test-SecretVault, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: lin e 673 at , : line 1 PipelineIterationInfo : {} PSMessageDetails :

---

How could it be solved?

[joshcorr]

This looks like 2 different issues..

@MrZeeEs can you open a new issue for investigating the DateTime Conversion?

@AlexeiKlimenko The error you received is a Vault Error. Based on the line number from that stack trace it appears to be in the Invoke-VaultToken internal function which is called by the Test-SecretVault (called in every public function). I need to think about why the vault client works, but the API call doesn't work. I think @ryancbutler had a good suggestion that it may be an ACL, but if that was the case then I would think the Vault binary wouldn't work.

[AlexeiKlimenko]

Have you got any new info about this issue?

[joshcorr]

I do not. I have not been able to reproduce the problem in my environment.

The error you receive is saying permission denied, which leads me to think it is the ACL for your AD role, or (more likely) the Test for the mounts which requires read to the mounts path in vault.

[hawleyOSU]

I know this is old, but it is still open and I had this same issue today. Hopefully this will help someone else in the future.

@AlexeiKlimenko the issue was permissions. Like you, I could pull the secret via the Vault API using:

invoke-restmethod -Method Get -Uri "https://<vault_url>/v1/<mount>/data/<folder>/<secretname>" -Headers @{"X-Vault-Token" = "..."}

but not

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name <mount> -VaultParameters @{ VaultServer = 'https://<vault_url>'; VaultAuthType = 'Token'}

Get-Secret -Name <folder>/<secretname> -Vault <mount>

@ryancbutler, had the solution. The permission that was missing from the policy was path "sys/mounts" { capabilities = ["read"] }

[AlexisHW]

I have the same issue and don't have access to mounts too. I found it by running

vault secrets list
Error listing secrets engines: Error making API request.

URL: GET https://host:8200/v1/sys/mounts
Code: 403. Errors:

* 1 error occurred:
        * permission denied