I'm following Vault Configuration example referring from: https://spring.io/guides/gs/vault-config/. I've started server using windows machine.
vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
set VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
set VAULT_ADDR=http://127.0.0.1:8200
I am getting below error:
C:\Softwares\vault_1.0.1_windows_amd64>vault write secret/gs-vault-config example.username=demouser example.password=demopassword
Error writing data to secret/gs-vault-config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/gs-vault-config
Code: 403. Errors:
* permission denied
In windows,
Step1:
set the VAULT_TOKEN & VAULT_ADDR
SET VAULT_TOKEN=00000000-0000-0000-0000-000000000000
SET VAULT_ADDR=http://127.0.0.1:8200
Step 2: put the secret key & password using kv put
vault kv put secret/gs-vault-config example.username=hello example.password=world
I was able to solve the simply use set VAULT_TOKEN=00000000-0000-0000-0000-000000000000
There is change in creating key-value in Hashicorp Vault now. Use kv put instead of write.
>vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword
Key Value
--- -----
created_time 2018-12-26T14:25:07.5400739Z
deletion_time n/a
destroyed false
version 1
>vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword
Key Value
--- -----
created_time 2018-12-26T14:25:53.0980305Z
deletion_time n/a
destroyed false
version 1
Related
I am using this helm chart
https://artifacthub.io/packages/helm/vulcanlink/chainlink
I managed to launch and connect Chainlink node with Postgres, with these values
config:
# Login Info
ROOT: /chainlink
API_LOGIN: |
API_EMAIL=admin#admin.com
API_LOGIN=admin
WALLET_PASSWORD: "9xMR9PN7CTk6Axs" # a random test password based on chainlink's demands
# HTTP Security
ALLOW_ORIGINS: "*"
SECURE_COOKIES: "false"
CHAINLINK_PORT: "6688"
CHAINLINK_TLS_PORT: "0"
# Database
DATABASE_TIMEOUT: "0"
DATABASE_URL: postgresql://chainlink:chainlink#pgdb-postgresql:5432/chainlink?sslmode=disable
# Ethereum
ETH_URL: wss://rinkeby.infura.io/ws/v3/somerandomnumber # ws://geth:8546
ETH_CHAIN_ID: "4"
LINK_CONTRACT_ADDRESS: 0x514910771af9ca656af840dff83e8264ecf986ca # this was here ...
I port forward the k8s service and I see the Chainlink UI.
But what combination of the above should I use?
I have tried them all.
EDIT
In order to change the env vars, I ended up destroying the whole minikube env. Insane, and I have no idea why...
Now I get this in the logs
There are no accounts, creating a new account with the specified password
There are no P2P keys; creating a new key encrypted with given password
There are no OCR keys; creating a new key encrypted with given password
2022-09-02T10:22:50Z [INFO] API exposed for user API_EMAIL=admin#admin.com cmd/local_client.go:122
2022-09-02T10:23:32Z [INFO] POST /sessions web/router.go:433 body={"email":"admin#admin.com","password":"*REDACTED*"} clientIP=127.0.0.1 errors=Error #01: Invalid email
latency=4.918708ms method=POST path=/sessions servedAt=2022-09-02 10:23:32 status=401
... so I still cannot log in in the GUI. It is frustrating
EDIT
This is what happens when the instructions are not clear...
The username was API_EMAIL=admin#admin.com and the password API_LOGIN=admin .
Now I can login...but surely gonna change them...
I am trying to create a azure key vault with the help of terraform where i want to save my DB password in my azure devops pipeline because obviously I cannot hardcode it to my tfvars file.
As u can see i m creating an empty job and saving my password variable with value in pipeline
but I am not able to understand why my terraform plan is waiting in console like it is asking user to enter the password
below is snapshot of LOG:
can u please help me that what I am missing here ??
Also , I have i m passing my password in command line : then I am getting below error :
2022-05-13T05:11:00.5948619Z [31m│[0m [0m[1m[31mError: [0m[0m[1mbuilding account: getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'a527faff-6956-4b8a-93ad-d9a14ab41610'.\r\nTrace ID: 81c1b1e8-1b0c-4f21-ad90-baf277d43801\r\nCorrelation ID: c77d437b-a6e8-4a74-8342-1508de00fa3a\r\nTimestamp: 2022-05-13 05:11:00Z","error_codes":[7000215],"timestamp":"2022-05-13 05:11:00Z","trace_id":"81c1b1e8-1b0c-4f21-ad90-baf277d43801","correlation_id":"c77d437b-a6e8-4a74-8342-1508de00fa3a","error_uri":"https://login.microsoftonline.com/error?code=7000215"} Endpoint https://login.microsoftonline.com/*/oauth2/token?api-version=1.0", resp:(http.Response)(0xc00143c000)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net//servicePrincipals?%24filter=appId+eq+%27a527faff-6956-4b8a-93ad-d9a14ab41610%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc00143c000)}[0m
2022-05-13T05:11:00.5952404Z [31m│[0m [0m
I have created a kv (version 2) secrets engine, mounted on /secret:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_915b3383 per-token private secret storage
identity/ identity identity_9736df92 identity store
secret/ kv kv_8ba16621 n/a
sys/ system system_357a0e34 system endpoints used for control, policy and debugging
I have created a policy that should give admin access to everything in myproject:
$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}
I have created a secret in the appropriate path (with root token):
$ vault kv put secret/myproject/entry1 pass=pass
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
I have created a user that has been assigned the given policy:
$ vault token lookup
Key Value
--- -----
accessor CBnMF4i2cgadYoMNAX1YHaX6
creation_time 1652281774
creation_ttl 168h
display_name userpass-myproject
entity_id ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time 2022-05-18T15:09:34.799969629Z
explicit_max_ttl 0s
id s.FO7PrOBdvC3KB85N46E05msi
issue_time 2022-05-11T15:09:34.799982017Z
meta map[username:myproject]
num_uses 0
orphan true
path auth/userpass/login/myproject
policies [default myproject]
renewable true
ttl 167h53m36s
type service
However when I try to access anything (list,get), I get a 403 error:
$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied
When I change the policy to this (change path to secret/*), I get access to everything:
$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
pass pass
What am I doing wrong?
It turns out that you need to define your policy like this:
path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}
because with engine v2 kv list prepends metadata to your path, and kv get prepends data to your path.
No idea how I missed the documentation on this here: https://www.vaultproject.io/docs/secrets/kv/kv-v2:
Writing and reading versions are prefixed with the data/ path.
Thank you #Matt Schuchard
When using Vault Agent with a secret ID file, I received the following error message:
$ ./vault agent --config auth_config.hcl
==> Vault server started! Log data will stream in below:
==> Vault agent configuration:
Api Address 1: http://127.0.0.1:8300
Cgo: disabled
Log Level: info
Version: Vault v1.3.0
2020-02-04T14:08:28.352-0800 [INFO] auth.handler: starting auth handler
2020-02-04T14:08:28.352-0800 [INFO] auth.handler: authenticating
2020-02-04T14:08:28.352-0800 [INFO] sink.server: starting sink server
2020-02-04T14:08:28.352-0800 [INFO] template.server: starting template server
2020-02-04T14:08:28.352-0800 [INFO] template.server: no templates found
2020-02-04T14:08:28.352-0800 [INFO] template.server: template server stopped
2020-02-04T14:08:28.354-0800 [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/login
Code: 400. Errors:
* invalid secret id" backoff=2.190384035
The command I executed was:
vault agent --config auth_config.hcl
The contents of my auth_config.hcl file is:
vault {
address = "http://127.0.0.1:8200"
}
auto_auth {
method "approle" {
config {
role_id_file_path = "./role_id"
secret_id_file_path = "./secret_id"
remove_secret_id_file_after_reading = false
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8300"
tls_disable = true
}
My secret ID was generated using the following command:
vault write -f auth/approle/role/payments_service/secret-id -format=json | sed -E -n 's/.*"secret_id": "([^"]*).*/\1/p' > secret_id
Why is this error happening?
I found that the usual reason that this happens because the secret ID file wasn't generated correctly in the first place. See this Github thread for example. Unfortunately, in my case, the file was generated. The file secret_id referenced in auth_config.hcl contained the secret ID.
In my case, the problem was that after I generated the file, secret_id, I executed the command vault write -f auth/approle/role/payments_service/secret-id a second time. This new command didn't write over the original file with a new secret ID. The consequence of this new command was that it respawned a new secret ID which invalidated the previous secret ID which was written to the secret_id file.
My solution was to rerun the command that wrote the secret ID to the file, secret_id, and then immediately run the Vault Agent. Problem solved.
My case was because the app (kes) was trying to use http, instead of https, to connect to vault, while the tls was enabled both in vault and the app (kes). Once it was updated, the app could connect to vault without any issue
Error: failed to connect to Vault: Error making API request.
URL: PUT http://vault.vault:8200/v1/auth/approle/login
Code: 400. Raw Message:
Client sent an HTTP request to an HTTPS server.
Authenticating to Hashicorp Vault 'http://vault.vault:8200'
Can someone let me know how to create a global session variable and that session variable should be used across keywords/testcases . I have tried the following way and getting error as ${itoc_session} not found.
*** Settings ***
Library RequestsLibrary
Library Collections
*** Keywords ***
Create session for server
#{auth}= Create List admin admin123
Create Session httpbin https://host141.swlab.net:71/ auth=#{auth}
Set Global Variable ${itoc_session} httpbin
Get Policy for Server
${resp}= Get Request ${itoc_session} uri=/policies/
Log ${resp.status_code}
:FOR ${item} in #{resp.json()}
\ Log ${item}
\ ${get_policy_id}= Get Variable Value ${item['id']}
\ ${get_policy_name}= Get Variable Value ${item['name']}
\ Log ${get_policy_id},${get_policy_name}
Set Global Variable ${policy_id} ${get_policy_id}
Get Policy with policyID
${res}= Get Request ${itoc_session} uri = /policies/${policy_id}
Log ${res}
Log ${res.json()['name']} , ${res.json()['extReference']}
*** Test case ***
get_policy_id
Get Policy for Server
get_policy_details
Get Policy with policyID
You never call Create session for server, so the variable never gets set.