Closed darrenjlewington closed 2 years ago
konidev20
commented
2 years ago I'm currently using the l;atest version of VaultSharp in a project.
Can you tell me if it's possible to generate a secret-id using the library please?
Something along the lines of: vault write -force auth/apppole/role/myapp/secret-id
Thank you in advance
Darren
Hey currently this API has not been implemented yet in the VaultSharp library. I will try to add this functionality and raise a PR
darrenjlewington
commented
2 years ago Thank you.
Regards,
Darren
konidev20
commented
2 years ago Hey @darrenjlewington, I have added the following method to pull a secret-id. Refer: https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id
/// <summary>
/// Generates and issues a new SecretID on an existing AppRole.
/// Similar to tokens, the response will also contain a
/// secret_id_accessor value which can be used to read the properties
/// of the SecretID without divulging the SecretID itself, and also to
/// delete the SecretID from the AppRole.
/// </summary>
/// <param name="roleName"></param>
/// <param name="mountPoint"></param>
/// <param name="secretIdRequestOptions"></param>
/// <returns></returns>
Task<Secret<SecretIdInfo>> PullSecretIdAsync(string roleName, string mountPoint = "approle", SecretIdRequestOptions secretIdRequestOptions = null);There is a push version of the API as well, where you can push a specific string to be the secret-id. Let me know if you need it. Refer: https://developer.hashicorp.com/vault/api-docs/auth/approle#create-custom-approle-secret-id
Since you want the secret-id, I though you might as well need the role-id and have implemented the read role-id endpoint. Refer: https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id
/// <summary>
/// Reads the RoleID of an existing AppRole.
/// </summary>
/// <param name="roleName">Name of the Role.</param>
/// <param name="mountPoint">Mount point of the AppRole Auth method</param>
/// <returns>RoleId of Named AppRole</returns>
Task<Secret<RoleIdInfo>> GetRoleIdAsync(string roleName, string mountPoint = "approle");Thanks & Regards, @konidev20
darrenjlewington
commented
2 years ago Hi @konidev20,
That's great. Thank you so much.
The extra role-id functionality will come in useful as well.
I don't think that I'll need the push version of the API at this moment in time.
But one more thing that would come in handy if it's not to much trouble, is the ability to retrieve a wrapped secret-id. Something along the lines of: vault write -wrap-ttl=120s -f auth/apppole/role/myapp/secret-id.
Thank you once again for your extremely prompt reply & action.
Kind regards,
Darren
darrenjlewington
commented
2 years ago Hi @konidev20,
I've just got round to trying out the new changes, and I'm hitting a couple of issues:
1) ReadRoleAsync is returning a different value for RequestID each time its called, & the value returned is not recognised in a subsquent call to ReadSecretAsync. An invalid role ID exception is being generated. It should be noted however that other information related to the role (e.g., TokenPolicies, SecretIdTimeToLive) appear to be returning correctly:
IAuthMethodInfo authMethod = new TokenAuthMethodInfo(rootToken);
var vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
var role_id = vaultClient.V1.Auth.AppRole.ReadRoleAsync(myRole).Result;
authMethod = new AppRoleAuthMethodInfo(role_id.RequestId, secret_id); // **role_id.RequestId has a different value on each call to ReadRoleAsync, above.**
vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
vaultClient = new VaultClient(vaultClientSettings);
var vaultSecret = vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync(myPath + "/" + "appSettings", mountPoint: "secret").Result; // **Exception is generated here.**2) A call to PullSecretIdAsync throws the exception - unsupported operation:
IAuthMethodInfo authMethod = new TokenAuthMethodInfo(rootToken);
var vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
var secret_id = vaultClient.V1.Auth.AppRole.PullSecretIdAsync(myRole).Result; // **Exception is generated here.**Would it be possible for you to look into these issues for me please?
Thank you in advance for your help & assistance. It's greatly appreciated.
Kind regards,
Darren
konidev20
commented
2 years ago Hey @darrenjlewington,
For 1. Please check the parameters for the parameterised constructor of AppRoleMethodInfo; we need the mountPoint, roleId and secretId.
As per my understanding the request ID for each request is unique to the request and cannot be utilised for subsequent calls. Please check the usage in the Vault Documentation. I'm not aware of its use.
As for 2. I will check it out and let you know.
konidev20
commented
2 years ago Hey @darrenjlewington
The requestId is not the roleId. You have to fetch the roleId using the GetRoleIdAsync method. :)
If you see the AppRoleInfo object doesn't return the roleId. In addition to this, the Result of
var role_id = vaultClient.V1.Auth.AppRole.ReadRoleAsync(myRole).Result
Returns a Secret object. The Data contains the AppRoleInfo.
konidev20
commented
2 years ago Please check the usage. The API support wrapping as well by default through the Secret object.
darrenjlewington
commented
2 years ago Hi @konidev20,
Thank you very much for getting back to me, especially on a Sunday.
My apologies for my intial misunderstanding of the requestId property. I've checked the mountPoint & the default vaule of approle is correct. I've also changed the method call to GetRoleIdAsync.
I've just tested again, & I'm now hitting the following 2 issues:
1) GetRoleIdAsync is throwing the following exception:- JsonReaderException: Could not convert string to integer: a2a301e4-7bcf-c0b5-010e-1ce69b5461e7. Path 'data.role_id', line 1, position 160:
IAuthMethodInfo authMethod = new TokenAuthMethodInfo(rootToken);
var vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
var roleInfo = vaultClient.V1.Auth.AppRole.GetRoleIdAsync(myRole).Result;2) PullSecretIdAsync is throwing the following exception:- VaultApiException: {"errors":["1 error occurred:\n\t* unsupported operation\n\n"]}:
IAuthMethodInfo authMethod = new TokenAuthMethodInfo(rootToken);
var vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
var secretInfo = vaultClient.V1.Auth.AppRole.PullSecretIdAsync(myRole).Result;Thank you in advance for your continued help & assistance.
Kind regards,
Darren
konidev20
commented
2 years ago Hey @darrenjlewington,
I've pushed the fixes for both issues. They were typos from my side. I didn't test this fully yet, thank you for bearing with me :)
darrenjlewington
commented
2 years ago Hi @konidev20,
Thank you for bearing with me to. :) I am so grateful for all of your help.
I've just tested out the changes & they work perfectly.
Thank you so much for all your time & effort expended on this. It really is greatly appreciated.
Kind regards,
Darren
konidev20
commented
2 years ago Hi @konidev20,
Thank you for bearing with me to. :) I am so grateful for all of your help.
I've just tested out the changes & they work perfectly.
Thank you so much for all your time & effort expended on this. It really is greatly appreciated.
Kind regards,
Darren
It's my pleasure 😄 @darrenjlewington
I will work with @rajanadar on the PR so that this functionality is GA on the VaultSharp.
rajanadar
commented
1 year ago Available here: https://www.nuget.org/packages/VaultSharp/1.7.2
darrenjlewington
commented
1 year ago Thank you very much rajanadar.
Kind regards,
Darren
I'm currently using the l;atest version of VaultSharp in a project. Can you tell me if it's possible to generate a secret-id using the library please? Something along the lines of: vault write -force auth/apppole/role/myapp/secret-id Thank you in advance Darren