User with assigned policy can't access secrets - hashicorp-vault

I have created a kv (version 2) secrets engine, mounted on /secret:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_915b3383 per-token private secret storage
identity/ identity identity_9736df92 identity store
secret/ kv kv_8ba16621 n/a
sys/ system system_357a0e34 system endpoints used for control, policy and debugging
I have created a policy that should give admin access to everything in myproject:
$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}
I have created a secret in the appropriate path (with root token):
$ vault kv put secret/myproject/entry1 pass=pass
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
I have created a user that has been assigned the given policy:
$ vault token lookup
Key Value
--- -----
accessor CBnMF4i2cgadYoMNAX1YHaX6
creation_time 1652281774
creation_ttl 168h
display_name userpass-myproject
entity_id ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time 2022-05-18T15:09:34.799969629Z
explicit_max_ttl 0s
id s.FO7PrOBdvC3KB85N46E05msi
issue_time 2022-05-11T15:09:34.799982017Z
meta map[username:myproject]
num_uses 0
orphan true
path auth/userpass/login/myproject
policies [default myproject]
renewable true
ttl 167h53m36s
type service
However when I try to access anything (list,get), I get a 403 error:
$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied
When I change the policy to this (change path to secret/*), I get access to everything:
$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
pass pass
What am I doing wrong?

It turns out that you need to define your policy like this:
path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}
because with engine v2 kv list prepends metadata to your path, and kv get prepends data to your path.
No idea how I missed the documentation on this here: https://www.vaultproject.io/docs/secrets/kv/kv-v2:
Writing and reading versions are prefixed with the data/ path.
Thank you #Matt Schuchard

Related

Azure devops Variables and Terraform

I am trying to create a azure key vault with the help of terraform where i want to save my DB password in my azure devops pipeline because obviously I cannot hardcode it to my tfvars file.
As u can see i m creating an empty job and saving my password variable with value in pipeline
but I am not able to understand why my terraform plan is waiting in console like it is asking user to enter the password
below is snapshot of LOG:
can u please help me that what I am missing here ??
Also , I have i m passing my password in command line : then I am getting below error :
2022-05-13T05:11:00.5948619Z [31m│[0m [0m[1m[31mError: [0m[0m[1mbuilding account: getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'a527faff-6956-4b8a-93ad-d9a14ab41610'.\r\nTrace ID: 81c1b1e8-1b0c-4f21-ad90-baf277d43801\r\nCorrelation ID: c77d437b-a6e8-4a74-8342-1508de00fa3a\r\nTimestamp: 2022-05-13 05:11:00Z","error_codes":[7000215],"timestamp":"2022-05-13 05:11:00Z","trace_id":"81c1b1e8-1b0c-4f21-ad90-baf277d43801","correlation_id":"c77d437b-a6e8-4a74-8342-1508de00fa3a","error_uri":"https://login.microsoftonline.com/error?code=7000215"} Endpoint https://login.microsoftonline.com/*/oauth2/token?api-version=1.0", resp:(http.Response)(0xc00143c000)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net//servicePrincipals?%24filter=appId+eq+%27a527faff-6956-4b8a-93ad-d9a14ab41610%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc00143c000)}[0m
2022-05-13T05:11:00.5952404Z [31m│[0m [0m

Terraform apply error 'The number of path segments is not divisible by 2' for Azure App Feature Flag

Terraform apply error 'The number of path segments is not divisible by 2' for Azure App Feature Flag
Why am I seeing this error? Hard to find any answer to this anywhere. I am using Terraform v2.93.0
and I also tried 2.90.0 and 2.56.0, and got the same problem. I was adding configs just fine but
as soon as I tried to configure a Feature Flag, it breaks the Terraform project AND
I am forced to rebuild re-init from scratch. Terraform is not able to recover on its own if I remove the config and running plan again.
╷
│ Error: while parsing resource ID: while parsing resource ID:
| The number of path segments is not divisible by 2 in
| "subscriptions/{key}/resourceGroups/my-config-test/providers/Microsoft.AppConfiguration/configurationStores/my-app-configuration/AppConfigurationFeature/.appconfig.featureflag/DEBUG/Label/my-functions-test"
│
│ while parsing resource ID: while parsing resource ID:
| The number of path segments is not divisible by 2 in
│ "subscriptions/{key}/resourceGroups/my-config-test/providers/Microsoft.AppConfiguration/configurationStores/my-app-configuration/AppConfigurationFeature/.appconfig.featureflag/DEBUG/Label/my-functions-test"
╵
╷
│ Error: obtaining auth token for "https://my-app-configuration.azconfig.io": getting authorization token for endpoint https://my-app-configuration.azconfig.io:
| obtaining Authorization Token from the Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: The command failed with an unexpected error. Here is the traceback:
│ ERROR: [Errno 2] No such file or directory
WHY is the slash missing from the front of the ID????
And here is the config that breaks it:
resource "azurerm_app_configuration_feature" "my_functions_test_DEBUG" {
configuration_store_id = azurerm_app_configuration.my_app_configuration.id
description = "Debug Flag"
name = "DEBUG"
label = "my-functions-test"
enabled = false
}
When it is healthy, the apply on configs works, and looks like this:
Plan: 4 to add, 0 to change, 0 to destroy.
Do you want to perform these actions in workspace "my-app-config-test"?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azurerm_resource_group.my_config_rg_test: Creating...
azurerm_resource_group.my_config_rg_test: Creation complete after 0s [id=/subscriptions/{key}/resourceGroups/my-config-test]
Ok, I figured it out. There is a bug: when create a azurerm_app_configuration_key resource, the key can be like so key = "/application/config.EXSTREAM_DOMAIN" BUT when you create a azurerm_app_configuration_feature, you will HOSE your terraform config if you try to set the name field to name = .appconfig.featureflag/DEBUG. Instead, just set the name field to DEBUG. If you don't do that, you have to completely reset your terraform and re-initialize all the resources. Had to learn the hard way. There error message was not helpful but could be updated to be helpful in this respect.

Hashicorp Vault: "Code: 400. Errors" Error Message

When using Vault Agent with a secret ID file, I received the following error message:
$ ./vault agent --config auth_config.hcl
==> Vault server started! Log data will stream in below:
==> Vault agent configuration:
Api Address 1: http://127.0.0.1:8300
Cgo: disabled
Log Level: info
Version: Vault v1.3.0
2020-02-04T14:08:28.352-0800 [INFO] auth.handler: starting auth handler
2020-02-04T14:08:28.352-0800 [INFO] auth.handler: authenticating
2020-02-04T14:08:28.352-0800 [INFO] sink.server: starting sink server
2020-02-04T14:08:28.352-0800 [INFO] template.server: starting template server
2020-02-04T14:08:28.352-0800 [INFO] template.server: no templates found
2020-02-04T14:08:28.352-0800 [INFO] template.server: template server stopped
2020-02-04T14:08:28.354-0800 [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:
* invalid secret id" backoff=2.190384035
The command I executed was:
vault agent --config auth_config.hcl
The contents of my auth_config.hcl file is:
vault {
address = "http://127.0.0.1:8200"
}
auto_auth {
method "approle" {
config {
role_id_file_path = "./role_id"
secret_id_file_path = "./secret_id"
remove_secret_id_file_after_reading = false
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8300"
tls_disable = true
}
My secret ID was generated using the following command:
vault write -f auth/approle/role/payments_service/secret-id -format=json | sed -E -n 's/.*"secret_id": "([^"]*).*/\1/p' > secret_id
Why is this error happening?
I found that the usual reason that this happens because the secret ID file wasn't generated correctly in the first place. See this Github thread for example. Unfortunately, in my case, the file was generated. The file secret_id referenced in auth_config.hcl contained the secret ID.
In my case, the problem was that after I generated the file, secret_id, I executed the command vault write -f auth/approle/role/payments_service/secret-id a second time. This new command didn't write over the original file with a new secret ID. The consequence of this new command was that it respawned a new secret ID which invalidated the previous secret ID which was written to the secret_id file.
My solution was to rerun the command that wrote the secret ID to the file, secret_id, and then immediately run the Vault Agent. Problem solved.
My case was because the app (kes) was trying to use http, instead of https, to connect to vault, while the tls was enabled both in vault and the app (kes). Once it was updated, the app could connect to vault without any issue
Error: failed to connect to Vault: Error making API request.
URL: PUT http://vault.vault:8200/v1/auth/approle/login
Code: 400. Raw Message:
Client sent an HTTP request to an HTTPS server.
Authenticating to Hashicorp Vault 'http://vault.vault:8200'

Code: 403. Errors: permission denied - while making API call to Hashicorp Vault

I'm following Vault Configuration example referring from: https://spring.io/guides/gs/vault-config/. I've started server using windows machine.
vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
set VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
set VAULT_ADDR=http://127.0.0.1:8200
I am getting below error:
C:\Softwares\vault_1.0.1_windows_amd64>vault write secret/gs-vault-config example.username=demouser example.password=demopassword
Error writing data to secret/gs-vault-config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/gs-vault-config
Code: 403. Errors:
* permission denied
In windows,
Step1:
set the VAULT_TOKEN & VAULT_ADDR
SET VAULT_TOKEN=00000000-0000-0000-0000-000000000000
SET VAULT_ADDR=http://127.0.0.1:8200
Step 2: put the secret key & password using kv put
vault kv put secret/gs-vault-config example.username=hello example.password=world
I was able to solve the simply use set VAULT_TOKEN=00000000-0000-0000-0000-000000000000
There is change in creating key-value in Hashicorp Vault now. Use kv put instead of write.
>vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword
Key Value
--- -----
created_time 2018-12-26T14:25:07.5400739Z
deletion_time n/a
destroyed false
version 1
>vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword
Key Value
--- -----
created_time 2018-12-26T14:25:53.0980305Z
deletion_time n/a
destroyed false
version 1

kubernetes Failed to create tags for load balancer security group

when I create a service in kubernetes, I see that controller-manager will create a security group and a new rule of minion's security group. with some warning:
W1028 05:34:44.104402 1 aws.go:1755] Failed to create tags (too many attempts): InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id: []
E1028 05:34:44.104450 1 aws.go:1830] error creating load balancer security group: error tagging security group: InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id: []
E1028 05:34:44.104500 1 servicecontroller.go:173] Failed to process service delta. Retrying: failed to create external load balancer for service default/nginx-service: error tagging security group: InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id: []
is there anything I missed when I setup my kubernetes cluster?
added on 12/22/2015
still find this problem, when creating ELB
W1222 04:38:51.220684 1 aws.go:1571] Failed to create tags (too many attempts): InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id:
E1222 04:38:51.220726 1 aws.go:1647] error creating load balancer security group: error tagging security group: InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id:
E1222 04:38:51.220780 1 servicecontroller.go:187] Failed to process service delta. Retrying: Failed to create load balancer for service default/nginx: error tagging security group: InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.
status code: 400, request id:
kubectl version
Client Version: version.Info{Major:"1", Minor:"1", GitVersion:"v1.1.2", GitCommit:"3085895b8a70a3d985e9320a098e74f545546171", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"1", GitVersion:"v1.1.3", GitCommit:"6a81b50c7e97bbe0ade075de55ab4fa34f049dc2", GitTreeState:"clean"}
I'm the author of the code here. Something definitely isn't right, and I can't see how you hit the case based on reading the code. What version of kubernetes are you running (a release, or running from source)? And how did you install - did you use kube-up?
Also, when you first start the controller-manager, it should log one of these two messages: either "AWS cloud filtering on tags: ..." or ""AWS cloud - no tag filtering". Which of the two does it log, and if the first what tags is it filtering on?