our vault storage keep cluttering up with massive amount of expired certificates.
there is an option to revoke a certificate using api or a lease id, but they are still available and can be queried.
following will only revoke a certificate,
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data #payload.json \
http://127.0.0.1:8200/v1/pki/revoke
is there a way to permanently remove expired certificates?
there is an endpoint for it,
tidy
This endpoint allows tidying up the storage backend and/or CRL by removing certificates that have expired
and are past a certain buffer period beyond their expiration time.
So to remove all expired certificates make a POST request to https://<vault-api-url>:<api-port>/v1/<pki-role>/tidy with "tidy_cert_store": true as payload,
using cURL,
curl -X POST \
https://<vault-api-url>:<api-port>/v1/<pki-role>/tidy \
-H 'content-type: application/json' \
-H 'x-vault-token: c32165c4-212f-2dc2e-cd9f-acf63bdce91c' \
-d '{
"tidy_cert_store": true
}'
The syntax Sufiyan provided appears incorrect (or for an old version). In Vault >1.2 (and maybe earlier) it should be:
curl -X POST \
-H "X-Vault-Token: $VAULT_TOKEN" \
-d '{"tidy_cert_store":true}' \
$VAULT_ADDR/v1/$pki_engine/tidy
Which should result in the tidy process to begin, and return this response:
{
"request_id": "",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
],
"auth": null
}
Latest docs on Tidy are https://www.vaultproject.io/api/secret/pki/index.html#tidy
Related
I want to let my client application access user information from keycloak. Therefore, I created another realm (myrealm1) in keycloak and within that realm I created a new client (myclient1).
keycloak configuration:
Client configuration
Actually, I tried a lot of other combinations without success.
In the client scopes tab, I added the admin client scope
In the service account roles tab, I added the admin role
Client scope configuration
For the admin client scope, I assigned the admin role in the scope tab.
Realm role configuration
For the admin realm role, I assigned the admin role in the associated role tab.
REST API Calls
These are the REST API calls I am using
curl --location --request POST 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myclient1' \
--data-urlencode 'client_secret=PehR9f95woZmEEHcKfSgPaosu1Yt6P9s' \
--data-urlencode 'grant_type=client_credentials'
Returns
{
"access_token": "eyJhbGciOiJS...",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "email profile admin"
}
So far so good, I do get a token.
curl --location --request GET 'http://localhost:8080/admin/realms/myrealm/users' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJS...'
Returns
HTTP 403
{
"error": "unknown_error"
}
This is not as expected. The expected result would be the user information.
Btw, I do get it working for the admin user of the master realm
curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=password' \
--data-urlencode 'grant_type=password'
But this is not what I want. I would like to get it working for my custom client.
Setup
I am using keycloak 19.0.3
My question
What is missing to get it working? I. e. How do I enable my client to make use of the keycloak REST APIs such as /admin/realms/myrealm/users
You need to go to:
your realm;
your Client;
then go to service account;
Click on Assign Role;
Select Filter by clients;
and search for 'realm-management'
Select and assign the desired roles.
I'm working on a project where I need to access a Gcloud service account. However, I've been encountering issues with authentication. This is the following error from my command prompt:
My command:
curl -s -H "Content-Type: application/json" \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
https://speech.googleapis.com/v1/speech:recognize \
-d #sync-request.json
Output:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
At the current moment, I have done the following: I set my environment variable, "GOOGLE_APPLICATION_CREDENTIALS", to hold the path to my service account's JSON key file, I opened my cmd in the directory where the key file is located, I ran the command. Is there anything else I'm missing?
The documentation I am following is from https://cloud.google.com/docs/authentication/production#windows
Couple of things.
gcloud does not use ADC; setting GOOGLE_APPLICATION_CREDENTIALS does not configure gcloud.
You should (have not tried) be able to use gcloud auth activate-service-account ... and then gcloud auth print-access-token.
Or you can just use a regular (human|non-service) account and gcloud auth print-access-token.
Or, you can use gcloud auth application-default login and then gcloud auth application-default print-access-token but the two go together.
Don't quote the token in header:
TOKEN="$(gcloud auth print-access-token)" # Either
TOKEN="$(gcloud auth application-default print-access-token)" # Or
curl \
--silent \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ${TOKEN}" \
--data #sync-request.json \
https://speech.googleapis.com/v1/speech:recognize
While trying to use encryption/decryption feature of spring cloud config server with Pivotal Cloud Foundry's p-config-server service which is configured with a symmetric key for encryption, I am getting a 403 forbidden response which calling /decrypt on config server .
I am able to call the /encrypt endpoint successfully for encrypting values using below sample curl -
curl --location --request POST 'https://config-xxxx.apps.xxx.com/encrypt' \
--header 'Authorization: bearer <cf oauth_token here>' \
--header 'Content-Type: text/plain' \
--data-raw 'sample data'
But when trying to decrypt those values using /decrypt, I am getting 403 Forbidden error -
{
"error": "access_denied",
"error_description": "invalid issuer"
}
Sample curl for decryption -
curl --location --request POST 'https://config-xxxx.apps.xxx.com/decrypt' \
--header 'Authorization: bearer <cf oauth_token here>' \
--header 'Content-Type: text/plain' \
--data-raw '<encrypted value from previous step>'
In pivotal's config server documentation though there are reference to /encrypt but nothing related to /decrypt pivotal config server
Any pointers ?
In the Pivotal/Tanzu Spring Cloud Services (commercial product), the /encrypt API is exposed to anyone with the admin scope or to anyone that is a Space Developer in the space of the service.
The /decrypt endpoint is not exposed specifically, so you're not allowed to access with the same credentials, hence why you're seeing a 403.
My quick read of the code is that you'd need a token with scope config_server_<guide>.read to access that endpoint. Where <guid> is the config server's service guide (run cf service --guid <name> to obtain the guide).
To make that work, you'd need to get a token from the bound service or a service key, the latter is easier:
Run cf create-service-key <service_instance> decrypt-key
Run cf service-key <service_instance> decrypt-key
Run export TOKEN=$(curl -vv <access_token_uri> -d 'grant_type=client_credentials' -d 'client_id=<client_id>' -d 'client_secret=<client_secret>' | jq -r .access_token) where the values in <...> are from the output of #2.
Run curl -vv '<uri>/decrypt' -H "Authorization: bearer $TOKEN" -H 'Content-type: text/plain' -d '<encrypted-value>'
These depend on a Bash shell. You can do them on Windows, but the commands will vary. It also uses jq to make extracting the token easier. You could split the command in step #3 into two steps, fetching with curl and manually exporting TOKEN.
I have a bitbucket cloud account. Under: https://id.atlassian.com/manage/api-tokens I have generated an API Token which I am trying to use in a REST call to upload
a public SSH key to my account. Based on:
https://docs.atlassian.com/bitbucket-server/rest/5.6.2/bitbucket-ssh-rest.html?utm_source=%2Fstatic%2Frest%2Fbitbucket-server%2F5.6.2%2Fbitbucket-ssh-rest.html&utm_medium=301#idm45427244388592
https://community.atlassian.com/t5/Answers-Developer-Questions/Bitbucket-REST-API-POST-using-token-instead-of-basic-auth/qaq-p/474823
I have tried:
curl -X POST -d '{"text":"ssh-rsa AAAAB3... me#127.0.0.1"}' -H "Authorization: Bearer ADasdaEeasAsd..." https://bitbucket.org/[my-account]]/rest/ssh/latest/keys
But when I run that I get:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
I have tried to re-create the token and re-run the above command again - with the new token - but I get the same error.
Any suggestions?
Based on below answer and link I have now tried:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wxdrtblabla..." \
-d '{"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqP3Cr632C2dNhhgKVcon4ldUSAeKiku2yP9O9/bDtY myuser#bitbucket.org/myuser"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
But I get the exact same error:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
So still no luck. Also if I access:
https://api.bitbucket.org/2.0/users/[myuser]/ssh-keys
directly in a browser I get:
type "error"
error
message "This API is only accessible with the following authentication types: session, password, apppassword"
EDIT/ANSWERED: Based on the updated answer below I have no tried to create an app password and grant it account: read/write in bitbucket and it works. I run it with:
curl -v -u myuser:my-generated-app-password -X POST \
-H "Content-Type: application/json" \
-d '{"key": "ssh-rsa AAA....ro"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
You're looking at Bitbucket Server documentation but using Bitbucket Cloud. (The giveaways: the "bitbucket-server" part of the doc path, and the "bitbucket.org" in the path where you're pushing your key.)
Check out https://developer.atlassian.com/bitbucket/api/2/reference/resource/users/%7Busername%7D/ssh-keys#post instead - that's the Bitbucket Cloud documentation to do what you're trying to do. Your URL will be more like https://api.bitbucket.org/2.0/users/[your-account]/ssh-keys.
EDIT: The error you received indicates the problem: you either need to make that call from within an existing session (i.e. from the GUI), use your password, or use an app password. I'd recommend the app password, since it's scoped, meant to be disposable, and won't let you log onto the GUI. Your curl call then becomes something like curl -u myuser:myapppassword -X POST -H "Content-Type: application/json" -d '{"key": "key content goes here"}' https://api.bitbucket.org/2.0/users/myuser/ssh-keys.
There appears to be an endpoint on the Wunderlist API for updating the wunderlist user (at https://a.wunderlist.com/api/v1/user) which does not appear in the official docs
User information can be updated by sending a PUT request to it, e.g. :
curl \
-H "X-Access-Token: $WL_ACCESS_TOKEN" \
-H "X-Client-ID: $WL_CLIENT_ID" \
-H "Content-Type: application/json" \
-XPUT -d '{"revision":1234,"name":"some-name"}' \
https://a.wunderlist.com/api/v1/user
Assuming the data is valid, this returns with HTTP 200.
Is this endpoint supported?