Small question regarding Hashicorp Vault please.
I have a secret in Vault, under cubbyhole/mytestkey
If I log in to the web UI, I can see the key mytestkey and its value under cubbyhole
If I use the Vault CLI, running vault read /cubbyhole/mytestkey, I do get the result.
vault read /cubbyhole/mytestkey
Key Value
--- -----
mytestkey mytestvalue
However, when I use via curl (The token should be correct, since I used it to connect to Vault web UI), I get:
curl -vik -H "X-Vault-Token: token" https://remote-vault/cubbyhole/mytestkey
HTTP 404
May I ask what is the issue with my curl command? A path issue? And the correct one would be?
Thank you
Your REST API endpoint is missing the port and the version of the API. You can update it to:
curl -vik -H "X-Vault-Token: token" https://remote-vault:8200/v1/cubbyhole/mytestkey
and modify the port if running on the non-default 8200.
You can find more information in the relevant documentation.
Related
In Vault documentation, specifically the policies page, there is this phrase:
Everything in Vault is path based, and policies are no exception
I wonder about this phrase, does it mean that in the architecture of Vault and in its internals everything really is a path, similar to the "Everything is a file" in Linux architecture, which applies on processes, files, directories, sockets, pipes, etc?
What makes me relate to this phrase is that secret engines are defined by paths, and I assume Vault infers their types and which to be used from the given paths. Also policies are relatable as you have to define exact paths for each policy, but what about other components like auth methods, audits, tokens, etc?
I just want to get what is meant by "path based" in "Everything in Vault is path based" phrase.
In Vault, everything is path based. This means that every operation that is performed in Vault is done through a path. The path is used to determine the location of the operation, as well as the permissions that are required to execute the operation.
Whether you're using the vault binary or whether you're hitting the HTTP API endpoints, secrets/configs are written to a path.
i.e. via cli:
VAULT_ADDR=https://myvault.example.com VAULT_TOKEN=xxxxxxxx-xxxxxxx-xxxxxx vault kv get mysecrets/passwords/root
would correspond to HTTP endpoint:
curl \
-H "X-Vault-Token: xxxxxxx-xxxxxx-xxxxxxx" \
-X GET \
https://myvault.example.com/v1/mysecrets/passwords/root
Here's another example:
enabling the gcp secret engine with a custom path:
vault secrets enable -path=”my-project-123” gcp
If you wanted to enable secrets engines from the HTTP API, the endpoint (path) is /sys/mounts. Details here.
creating writing a config:
vault write my-project-123/config credentials=#/path/to/creds.json ttl=3600 max_ttl=21600
Notice how the config is written to a path, and if you were to use the HTTP API endpoint to do this, then it would look something like this:
curl \
--header "X-Vault-Token: ..." \
--request POST \
--data #payload.json \
https://myvault.example.com/v1/my-project-123/config
Where the payload.json would contain your credentials in text, ttl, max_ttl
Hence why they Vault says everything is path based.
EDIT: TL;DR - path based is so that there's parity between HTTP API and CLI (or any SDKs too). Compare this to a gcloud or aws command to its HTTP API endpoint counterpart where there isn't much parity there.
I've been trying to use the Keycloak Impersonation API (semi-recent addition) to get an access token for another user. I have created a semi-successful CURL request based on the docs and another StackOverflow question. The CURL request (below) returns a 501 Not Implemented and I am trying to figure this out. If it would be another error I would assume I am doing something incorrectly, but this appears to be at least partially correct.
curl --verbose -X POST "http://localhost:8081/auth/realms/master/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "client_id=admin-cli" \
-d "requested_subject={TARGET_USER_ID}" \
-d "subject_token={USER_MANAGER_TOKEN}"
My workflow so far has been to get the Keycloak master realm "admin" user's access token (successful) and use that in the impersonation request, along with the target user's Keycloak ID. Am I doing something wrong or missing a step?
I haven't changed any Keycloak permissions, is this required?
From my understanding and the documentation, impersonation is currently supported and enabled by default in Keycloak v5 - Sever Installation. However, another article (Keycloak v5 - Token Exchange) seems to indicate that the feature is disabled by default; could this be why I am getting the 501 Not Implemented?
EDIT: #qdivision mentioned that the Token Exchange needs to be enabled for this to work. However, we are using the jboss/keycloak Docker image and I am wondering where I should add the profile.properties file to enable this feature?
Impersonation is enabled by default, Token Exchange is not.
To enable start the server with -Dkeycloak.profile=preview or -Dkeycloak.profile.feature.token_exchange=enabled as mentioned in the docs
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
I'm trying to pull data from veracode(json or xml). I tried to use curl to connect to the api but i keep getting the error:"Failed to connect to analysiscenter.veracode.com port 443:Timed out".
curl --compressed -u USERNAME:PASSWORD https://analysiscenter.veracode.com/api/5.0/getapplist.do -F "include_user_info=true"
According to veracode documentation, to connect to the API, one needs to have Reviewer or Security Lead role.I have both Reviewer and Submitter role.The curl command should return some data like this:
xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd" >applist_version="1.2" account_id="123">Code" policy_updated_date="2013-11-11T14:37:34-05:00"/>
create_application_profile="true" create_sandbox="true" >create_new_build="true" assign_app_to_team="true" >assign_app_to_any_team="true" view_sandbox="true" view_results="true" >approve_mitigations="true" submit_static_scan="true"/>
this looks like a network issue, based on the error that you pasted. Can you ping the URL?
CURL also needs some configuration to use SSL. See this answer for some tips:
Configuring cURL for SSL
I'm trying to get login/pass authentication working on Vault.
When I try the method given in the API documentation here: https://www.vaultproject.io/api/auth/userpass/index.html#login
I get this error:
$ curl --request POST --data #payload.json https://<myurl>:8200/v1/auth/userpass/login/<mylogin> -k
{"errors":["missing client token"]}
And I can't find information on this error. It makes me wonder what happens, because I want to authenticate with login/pass to get the token, so that's just normal to not have it.
Here is the content of the payload.json:
{
"password": "foo"
}
Is there any way to login with username/password? This is the only fallback method I have when the user does not know its token.
Thanks!
OK, so I figured it out by trials.
So the userpass AUTH was indeed disabled. I have to use LDAP auth. With the Vault-UI that is installed, I managed to find the URL to authenticate. If was the following : https://******:8200/v1/auth/<ldap>/login/<user>
And that way it's working.
Unfortunately, it does not help in the end. The idea was to synchronize Vault data locally, but the Vault API is really not built for that kind of access. It requires a LOT of requests, and end up being very slow for a few secrets synchronized.
Make sure you are logging in under the correct namespace. You will get this error if your authentication method is enabled under something other than the default namespace that your CLI tool is using.
You can specify the namespace with the -ns=my/namespace/ parameter or the VAULT_NAMESPACE environment variable.
For example, if your namespace is "desserts/icecream"
vault login -ns=desserts/icecream/ -method=userpass username=ian
# OR
export VAULT_NAMESPACE=desserts/icecream/
vault login -method=userpass username=ian
In my case, i was not setting the vault token to the right environment variable.
you have to set the value to VAULT_TOKEN so that it uses it in subsequent request my env variable was Vault_Token and due to this it was always saying missing client token.
By default, Vault checks for this environment variable to find the token.
vault kv get --field "ACCESS_KEY_ID" secret/my-secret
I'm writing an application to monitor a kubernetes cluster running on Google Container Engine. On the host where my application deployed, there are no kubectl and gcloud CLI nor are they allowed to be installed. So I am trying to do everything through REST API.
For creating the cluster through REST, I can use GCE Rest API with bearer token retrieved from Google OAuth Playground. Something like:
curl -i -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-Length: 0" -H "Authorization: Bearer $MyBearerToken https://container.googleapis.com/v1/projects/$PROJECT_ID/zones/$ZONE/serverconfig
I can also find Kubernetes REST API reference here. So my question is: How do I retrieve, say pod information, from my GCE Kubernetes cluster, using REST api and REST api only?
I tried with kubectl get pods --v=8, and it's using GET https://${Kubenetes_IP}/api/v1/namespaces/default/pods. But when I use the same api endpoint to curl with my GCE bearer. It gives me Unzuthorized error message.
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Unauthorized
I am guessing because I need to use a different bearer token, or some other authentication method. I am wondering if anyone got a quick programtic one-liner? (Without resorting to kubectl or gcloud)
Reference
This answer affirms that there is a way using bearer token, but didn't give a pointer or example
This answer also seems promising, but all the link provided are broken (and api are deprecated as well)
This answer assumes kubectl and gcloud are installed, which is not allowed in my current use case.
Token can be retrieve from Google OAuth Playground
Kubernetes can be reached by the following curl command via REST API
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Kubernetes Master IP can be retrieved with kubectl get pods --v=8 and it could probably be retrieved somewhere from GCE Web GUI as well.
Full Kubernetes REST API can be found here
Make sure the token has not yet expired, and I think right now the default TTL is 1 hour.
When you authorize the OAuth2 playground to give you a token, it exchanges an Authorization Code for a Refresh Token and an Access Token.
The Access Token (from the OAuth2 playground) is valid for 1 hour.
The Refresh Token is a long-lived credential that is used to obtain new Access Tokens from the Authorization Server.
If you try to authenticate to the "Resource Owner" (in this case, Kubernetes) with an expired access token, it will respond with an HTTP 401 error.