search

joshcorr / SecretManagement.Hashicorp.Vault.KV

A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
MIT License
30 stars 10 forks source link

[BUG] Test-SecretVault fails with "Input string was not in a correct format", cannot set secrets #36

Closed phillippover closed 2 years ago

phillippover commented 2 years ago

Describe the bug Cannot seem to set or retrieve any secrets in a Vault using AppRole authentication. Invoking Test-SecretVault fails with an error:

Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret ---> System.Management.Automation.CmdletInvocationException: Input string was not in a correct format. ---> System.FormatException: Input string was not in a correct format. at System.Number.ThrowOverflowOrFormatException(ParsingStatus status, TypeCode type) at System.Byte.Parse(ReadOnlySpan1 s, NumberStyles style, IFormatProvider provider) at Microsoft.PowerShell.SecureStringHelper.ByteArrayFromString(String s) at Microsoft.PowerShell.SecureStringHelper.Unprotect(String input) at Microsoft.PowerShell.Commands.ConvertToSecureStringCommand.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSI nvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocat ionSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection1 output, PSInvocationSettings se ttings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke() at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Ex ception& terminatingError) in D:\a_work\1\s\src\code\Utils.cs:line 1554 --- End of inner exception stack trace --- TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at , : line 1 PipelineIterationInfo : {0, 1} PSMessageDetails :

Invoking Register-SecrectVault with the following commands: [securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force [pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password) Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}

Don't know if this is correct, but haven't found any useful examples to confirm.

To Reproduce Steps to reproduce the behavior:

  1. [securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force [pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password) Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}
  2. Test-SecretVault -Name secret -Debug
  3. Test-SecretVault: Unable to run Test-SecretVault on vault secret VERBOSE: Vault secret failed validation test

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): False

Expected behavior Test-SecretVault returns success/true

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context Add any other context about the problem here.

phillippover commented 2 years ago

@joshcorr any chance of some help with this as I'm still getting nowhere with it. Thanks.

joshcorr commented 2 years ago

Hey @phillippove sorry for the late response! I have been unable to work on this project for the last few months. I was looking at about_SecretManagement.Hashicorp.Vault.KV.Extension and you are right there is no good example for approle. It is designed to work similar to UserPass. You cannot provided the "VaultToken" parameter when registering the Vault.

If this doesn't work I can spin up my lab and take a look at the code.

phillippover commented 2 years ago

It now gives me permission denied.

`Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1';} Test-SecretVault -Name secret -Debug
PowerShell credential request Please Enter Role-Id and Secret-Id User: a59392ba-33b4-f529-ee2d-1750b4fae838 Password for user a59392ba-33b4-f529-ee2d-1750b4fae838: ****

Test-SecretVault: Unable to run Test-SecretVault on vault secret VERBOSE: Vault secret failed validation test

Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a False

$error[0] | fl -force

Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

                     ---> System.Management.Automation.RuntimeException: Received an error: {"errors":["1 error occurred:\n\t* permission denied\n\n"]}

                       --- End of inner exception stack trace ---
                       at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
                       at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
                       at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
                       at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSIn
                    vocationSettings settings)
                       at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocati
                    onSettings settings)
                       at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings set
                    tings)
                       at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
                       at System.Management.Automation.PowerShell.Invoke()
                       at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Exc
                    eption& terminatingError) in D:\a\_work\1\s\src\code\Utils.cs:line 1554
                       --- End of inner exception stack trace ---

TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at , : line 1 PipelineIterationInfo : {0, 1} PSMessageDetails : `

This happens with any of the existing App Roles and with newly created ones. Am I missing something? The roles have CRUD permissions set to a path like "secret/system/*". Is this the issue? If so how is that set at the powershell end?

joshcorr commented 2 years ago

The error you received is a Vault Error.

You will need access to auth/approle/login in the Vault Policy. I believe you may look in the Vault Log and Enable the Audit Log to get more visibility into which path is specifically failing.

phillippover commented 2 years ago

Hi @joshcorr

Turns out I needed a few different items in the hcl file in addition to the permissions on the secrets path. Seems to be working now with the hcl below. I'll leave them here to maybe help someone in the future. Thanks for the help.

` path "secret/path/*" { capabilities = ["create", "read", "update", "delete"] }

path "auth/approle/login" { capabilities = ["read"] }

path "auth/token/lookup" { capabilities = ["read", "update"] }

path "sys/mounts" { capabilities = ["read"] } `