Closed phillippover closed 2 years ago
@joshcorr any chance of some help with this as I'm still getting nowhere with it. Thanks.
Hey @phillippove sorry for the late response! I have been unable to work on this project for the last few months. I was looking at about_SecretManagement.Hashicorp.Vault.KV.Extension and you are right there is no good example for approle. It is designed to work similar to UserPass. You cannot provided the "VaultToken" parameter when registering the Vault.
If this doesn't work I can spin up my lab and take a look at the code.
It now gives me permission denied.
`Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1';}
Test-SecretVault -Name secret -Debug
PowerShell credential request
Please Enter Role-Id and Secret-Id
User: a59392ba-33b4-f529-ee2d-1750b4fae838
Password for user a59392ba-33b4-f529-ee2d-1750b4fae838: ****
Test-SecretVault: Unable to run Test-SecretVault on vault secret VERBOSE: Vault secret failed validation test
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a False
$error[0] | fl -force
Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}
---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSIn
vocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocati
onSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings set
tings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Exc
eption& terminatingError) in D:\a\_work\1\s\src\code\Utils.cs:line 1554
--- End of inner exception stack trace ---
TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException
FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at
This happens with any of the existing App Roles and with newly created ones. Am I missing something? The roles have CRUD permissions set to a path like "secret/system/*". Is this the issue? If so how is that set at the powershell end?
The error you received is a Vault Error.
You will need access to auth/approle/login in the Vault Policy. I believe you may look in the Vault Log and Enable the Audit Log to get more visibility into which path is specifically failing.
Hi @joshcorr
Turns out I needed a few different items in the hcl file in addition to the permissions on the secrets path. Seems to be working now with the hcl below. I'll leave them here to maybe help someone in the future. Thanks for the help.
` path "secret/path/*" { capabilities = ["create", "read", "update", "delete"] }
path "auth/approle/login" { capabilities = ["read"] }
path "auth/token/lookup" { capabilities = ["read", "update"] }
path "sys/mounts" { capabilities = ["read"] } `
Describe the bug Cannot seem to set or retrieve any secrets in a Vault using AppRole authentication. Invoking Test-SecretVault fails with an error:
Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret ---> System.Management.Automation.CmdletInvocationException: Input string was not in a correct format. ---> System.FormatException: Input string was not in a correct format. at System.Number.ThrowOverflowOrFormatException(ParsingStatus status, TypeCode type) at System.Byte.Parse(ReadOnlySpan, : line 1
PipelineIterationInfo : {0, 1}
PSMessageDetails :
1 s, NumberStyles style, IFormatProvider provider) at Microsoft.PowerShell.SecureStringHelper.ByteArrayFromString(String s) at Microsoft.PowerShell.SecureStringHelper.Unprotect(String input) at Microsoft.PowerShell.Commands.ConvertToSecureStringCommand.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection
1 input, PSDataCollection1 output, PSI nvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection
1 input, PSDataCollection1 output, PSInvocat ionSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection
1 output, PSInvocationSettings se ttings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke() at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Ex ception& terminatingError) in D:\a_work\1\s\src\code\Utils.cs:line 1554 --- End of inner exception stack trace --- TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : atInvoking Register-SecrectVault with the following commands: [securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force [pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password) Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}
Don't know if this is correct, but haven't found any useful examples to confirm.
To Reproduce Steps to reproduce the behavior:
Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): False
Expected behavior Test-SecretVault returns success/true
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
PSVersion 7.2.5 PSEdition Core GitCommitId 7.2.5 OS Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Binary 1.1.2 Microsoft.PowerShell.SecretManagem… {Get-Secret, Get-SecretInfo, Get-SecretVault, Register-SecretVault…}
Manifest 2.0.1 Preview SecretManagement.Hashicorp.Vault.KV
Additional context Add any other context about the problem here.