I am use the following comand to generate one time password:
$ vault write ssh/creds/otp_key_role ip=172.31.47.83
Key Value
--- -----
lease_id ssh/creds/otp_key_role/TqKAoY2kWLN058cRIzJab5qY
lease_duration 768h
lease_renewable false
ip 172.31.47.83
key ec90e030-f126-ae76-c989-177f33401536
key_type otp
port 22
username test-user
the lease_duration of otp is 768h, I want to reduce the lease_duration to 1h, how can I do it?
Related
I am using this helm chart
https://artifacthub.io/packages/helm/vulcanlink/chainlink
I managed to launch and connect Chainlink node with Postgres, with these values
config:
# Login Info
ROOT: /chainlink
API_LOGIN: |
API_EMAIL=admin#admin.com
API_LOGIN=admin
WALLET_PASSWORD: "9xMR9PN7CTk6Axs" # a random test password based on chainlink's demands
# HTTP Security
ALLOW_ORIGINS: "*"
SECURE_COOKIES: "false"
CHAINLINK_PORT: "6688"
CHAINLINK_TLS_PORT: "0"
# Database
DATABASE_TIMEOUT: "0"
DATABASE_URL: postgresql://chainlink:chainlink#pgdb-postgresql:5432/chainlink?sslmode=disable
# Ethereum
ETH_URL: wss://rinkeby.infura.io/ws/v3/somerandomnumber # ws://geth:8546
ETH_CHAIN_ID: "4"
LINK_CONTRACT_ADDRESS: 0x514910771af9ca656af840dff83e8264ecf986ca # this was here ...
I port forward the k8s service and I see the Chainlink UI.
But what combination of the above should I use?
I have tried them all.
EDIT
In order to change the env vars, I ended up destroying the whole minikube env. Insane, and I have no idea why...
Now I get this in the logs
There are no accounts, creating a new account with the specified password
There are no P2P keys; creating a new key encrypted with given password
There are no OCR keys; creating a new key encrypted with given password
2022-09-02T10:22:50Z [INFO] API exposed for user API_EMAIL=admin#admin.com cmd/local_client.go:122
2022-09-02T10:23:32Z [INFO] POST /sessions web/router.go:433 body={"email":"admin#admin.com","password":"*REDACTED*"} clientIP=127.0.0.1 errors=Error #01: Invalid email
latency=4.918708ms method=POST path=/sessions servedAt=2022-09-02 10:23:32 status=401
... so I still cannot log in in the GUI. It is frustrating
EDIT
This is what happens when the instructions are not clear...
The username was API_EMAIL=admin#admin.com and the password API_LOGIN=admin .
Now I can login...but surely gonna change them...
I am trying to create a azure key vault with the help of terraform where i want to save my DB password in my azure devops pipeline because obviously I cannot hardcode it to my tfvars file.
As u can see i m creating an empty job and saving my password variable with value in pipeline
but I am not able to understand why my terraform plan is waiting in console like it is asking user to enter the password
below is snapshot of LOG:
can u please help me that what I am missing here ??
Also , I have i m passing my password in command line : then I am getting below error :
2022-05-13T05:11:00.5948619Z [31m│[0m [0m[1m[31mError: [0m[0m[1mbuilding account: getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'a527faff-6956-4b8a-93ad-d9a14ab41610'.\r\nTrace ID: 81c1b1e8-1b0c-4f21-ad90-baf277d43801\r\nCorrelation ID: c77d437b-a6e8-4a74-8342-1508de00fa3a\r\nTimestamp: 2022-05-13 05:11:00Z","error_codes":[7000215],"timestamp":"2022-05-13 05:11:00Z","trace_id":"81c1b1e8-1b0c-4f21-ad90-baf277d43801","correlation_id":"c77d437b-a6e8-4a74-8342-1508de00fa3a","error_uri":"https://login.microsoftonline.com/error?code=7000215"} Endpoint https://login.microsoftonline.com/*/oauth2/token?api-version=1.0", resp:(http.Response)(0xc00143c000)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net//servicePrincipals?%24filter=appId+eq+%27a527faff-6956-4b8a-93ad-d9a14ab41610%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc00143c000)}[0m
2022-05-13T05:11:00.5952404Z [31m│[0m [0m
I have created a kv (version 2) secrets engine, mounted on /secret:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_915b3383 per-token private secret storage
identity/ identity identity_9736df92 identity store
secret/ kv kv_8ba16621 n/a
sys/ system system_357a0e34 system endpoints used for control, policy and debugging
I have created a policy that should give admin access to everything in myproject:
$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}
I have created a secret in the appropriate path (with root token):
$ vault kv put secret/myproject/entry1 pass=pass
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
I have created a user that has been assigned the given policy:
$ vault token lookup
Key Value
--- -----
accessor CBnMF4i2cgadYoMNAX1YHaX6
creation_time 1652281774
creation_ttl 168h
display_name userpass-myproject
entity_id ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time 2022-05-18T15:09:34.799969629Z
explicit_max_ttl 0s
id s.FO7PrOBdvC3KB85N46E05msi
issue_time 2022-05-11T15:09:34.799982017Z
meta map[username:myproject]
num_uses 0
orphan true
path auth/userpass/login/myproject
policies [default myproject]
renewable true
ttl 167h53m36s
type service
However when I try to access anything (list,get), I get a 403 error:
$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied
When I change the policy to this (change path to secret/*), I get access to everything:
$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
pass pass
What am I doing wrong?
It turns out that you need to define your policy like this:
path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}
because with engine v2 kv list prepends metadata to your path, and kv get prepends data to your path.
No idea how I missed the documentation on this here: https://www.vaultproject.io/docs/secrets/kv/kv-v2:
Writing and reading versions are prefixed with the data/ path.
Thank you #Matt Schuchard
I recently updated an AppRole secret_id using the following command
vault write -tls-skip-verify auth/approle/role/my-super-role-name/secret-id secret_id_ttl=4320h
How can I know when that secret-id will expire?
Since I ran the command I know that it will expire in 4320h hours, but is there a way to check the expiration if you didn't create it?
I know you can check secret_id_ttl using
vault read -tls-skip-verify auth/approle/role/my-super-role-name/secret-id-ttl
Key Value
--- -----
secret_id_ttl 4320h
But that only shows how much it was set to initially it doesn't serve as a count down.
This will print info about creation_time, expiration_time, last_updated_time of specified secret-id:
https://www.vaultproject.io/api/auth/approle#read-approle-secret-id
You can call lookup path API
vault write auth/approle/role/<role-name>/secret-id/lookup secret_id=<secret-id>
Key Value
--- -----
cidr_list <value>
creation_time <value>
expiration_time <value>
last_updated_time <value>
metadata <value>
secret_id_accessor <value>
secret_id_num_uses <value>
secret_id_ttl <value>
token_bound_cidrs <value>
I'm following Vault Configuration example referring from: https://spring.io/guides/gs/vault-config/. I've started server using windows machine.
vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
set VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
set VAULT_ADDR=http://127.0.0.1:8200
I am getting below error:
C:\Softwares\vault_1.0.1_windows_amd64>vault write secret/gs-vault-config example.username=demouser example.password=demopassword
Error writing data to secret/gs-vault-config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/gs-vault-config
Code: 403. Errors:
* permission denied
In windows,
Step1:
set the VAULT_TOKEN & VAULT_ADDR
SET VAULT_TOKEN=00000000-0000-0000-0000-000000000000
SET VAULT_ADDR=http://127.0.0.1:8200
Step 2: put the secret key & password using kv put
vault kv put secret/gs-vault-config example.username=hello example.password=world
I was able to solve the simply use set VAULT_TOKEN=00000000-0000-0000-0000-000000000000
There is change in creating key-value in Hashicorp Vault now. Use kv put instead of write.
>vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword
Key Value
--- -----
created_time 2018-12-26T14:25:07.5400739Z
deletion_time n/a
destroyed false
version 1
>vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword
Key Value
--- -----
created_time 2018-12-26T14:25:53.0980305Z
deletion_time n/a
destroyed false
version 1