ReturnedLoginAuthInfo is comming as null

[kirankg15]

I am using approle auth method.

I initialized auth method

Then build vault settings

I am using secret path as combination of namespace + secret path

When fetching secrets it is giving permission denied error.

When I check auth method info it is showing null. So is this causing error as : permission denied?

Please suggest.

[rajanadar]

@kirankg15

The first parameter for ReadSecretAsync is not the namespace. It is the path of the secret. You're using namespace. Change and let me know

[kirankg15]

@rajanadar I updated my comment and code aswell please recheck

[rajanadar]

Here is a sample snippet that can read a secret. You don't need to provide namespace here

var secret = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: "test2-key", mountPoint: "xyz-kv-secret").Result;

[kirankg15]

@rajanadar Added that snippet but still same error

[rajanadar]

Then the role policies need to be checked. Can you try using CLI? If you see the same error, then the role has been setup with some missing permissions

[kirankg15]

Yes I set them through cli and when I test them with postman methods i can see secrets.

But as you said let me recheck the role policies again.

[kirankg15]

@rajanadar I recreated the policy.

Also recreated the role with attached policy

Still getting the same error. But when tested through api,i can get the secret

[rajanadar]

Can you show me the API call that is working? The URL, Header etc.

[kirankg15]

Here it is a working api call.

[rajanadar]

How did you get the token in that header? The hvs.C*** one? Did you get it by doing a CLI login on the AppRole role id, secret id etc.?

[kirankg15]

Yes i retrieved it with role id and secret id by hitting another api method call. Call: V1/auth/approle/login Then I am using that token in above mentioned api to fetch secrets.

[rajanadar]

Can you let me know the exact URL you used to fetch the login token?

v1/auth/approle/login doesn't sound right because, your mountpoint in other snippet says test_approle as the mount point.

So the login url should be v1/auth/test_approle/login

[kirankg15]

@rajanadar That's correct url:v1/auth/test_approle/login

I just given you that by modifying for security reasons.

[rajanadar]

OK thanks.

Instead of app role Auth info, can you please use the TokenAuthMethod and use the above working token, and then try the same read secret call? Only for debugging purposes.

[rajanadar]

Vault Sharp will throw a nice exception, if it is not able to fetch a vault token using the app role parameters. Because you didn't get that error, I don't think the problem is in the app role token creation.

The problem seems to be more on the policies. Some path or namespace is creating the issue

[kirankg15]

OK thanks.

Instead of app role Auth info, can you please use the TokenAuthMethod and use the above working token, and then try the same read secret call? Only for debugging purposes.

@rajanadar With token authentication also, I am getting the same error.

[kirankg15]

@rajanadar Hey finally issue got resolved. The url was the culprit. I was appending /V1 to the base url. I rechecked all your methods where you are already appending V1 /auth wherever necessary so I removed and tried. It's worked like a charm.

[rajanadar]

Good to hear.