Vault: Get key value secrets - hashicorp-vault

I've created this secret backend:
$ vault secrets enable -path=openshift kv
$ vault write openshift/postgresql username=tdevhub
$ vault write openshift/postgresql password=password
I don't quite figure out how to read username and password values.
I've tried with:
$ vault read openshift/postgresql/password
or
$ vault kv get openshift/post...
By other hand, when I perform this command line:
$ vault kv get openshift/postgresql
====== Data ======
Key Value
--- -----
username tdevhub
I'd like to store username and password into a secret backend. I've realized that a kv secret backend only is able to store one key... is it right?
How could I get my goal?

you can read secrets using
vault kv get -field=password openshift/postgresql
or
vault kv get -field=username openshift/postgresql

You can store multiple data with a command like this vault write openshift/postgresql username=tdevhub password=password. When you will read at that location both username and password values will be returned.
Unfortunately, you can't append data to the same location, so when you execute the write again on that path the previous values will be overwritten. If you want to append data later, you have two choice:
Read your data each time you need to add a value, and append it manually
Use the KV Version 2 of Vault Key/Value secret engine

You can use the flags -format json and -field=data to get all the data under a given key properly formatted in JSON. This also filters out the extra details.
vault kv get -format json -field=data openshift/postgresql
The output you would get is -
{
"username": "tdevhub",
"password": "password"
}

Related

Cannot store file content in hashicorp vault using Vault kv put

I am trying to add file content in vault using vault kv put but I am unable to add data in vault
vault kv put -format=json -address ${VAULT_ADDR} key=#abc.json
Here the error says "Must supply data"
I also tried various other options like -
vault kv put -format=json -address ${VAULT_ADDR} key #abc.json
Here key is being added into vault address url e.g vault-address/key
&
vault kv put -format=json -address ${VAULT_ADDR} #abc.json
Here error says "Must supply data"
My Json file is sample test file and has following content in it
{
"key": "value",
"foo": "bar",
"bar": "baz"
}
Can someone please help me solving this issue?
You can directly create secret without -format=json. The below command worked for me.
vault kv put app/dev/test #test.json

InfluxDB2 on Kubernetes not using existing admin password/token secret

I'm installing InfluxDB2 on a Kubernetes cluster (AWS EKS) and in the helm chart I specify an existing secret name "influxdb-auth" for admin user credentials. When I try to login to the web admin interface, it does not accept the password or token from that secret. If I don't specify an existing secret, it automatically creates a secret "influxdb2-auth" and I can retrieve and use the password successfully, but it will not use the existing secret. Also when I specify the existing secret "influxdb-auth" it does not create a secret "influxdb2-auth" so I can't retrieve the password it has generated. I have tried naming the existing secret "influxdb2-auth" but that also did not work. Any ideas on what the problem might be?
Section from values.yaml:
## Create default user through docker entrypoint
## Defaults indicated below
##
adminUser:
organization: "test"
bucket: "default"
user: "admin"
retention_policy: "0s"
## Leave empty to generate a random password and token.
## Or fill any of these values to use fixed values.
password: ""
token: ""
## The password and token are obtained from an existing secret. The expected
## keys are `admin-password` and `admin-token`.
## If set, the password and token values above are ignored.
existingSecret: influxdb-auth
To anyone here coming here from the future. Make sure you run:
echo $(kubectl get secret influxdb-influxdb2-auth -o "jsonpath={.data['admin-password']}" --namespace monitoring | base64 --decode)
after first installation. First time influxdb2 starts it will setup task, subsequent helm install/upgrade seem to save new password in the secret which isn't on the file system.
I had to delete content of PVC for influxdb and rerun installation.

How to retrieve secret data from vault API using AppRole?

My HashiCorp vault instance is runnning properly on CentOS7. I enabled AppRole authentication, created a policy and a role, enabled secret engine and created a secret for a client application.
I can retrieve the secret data using root CLI but I can't figure out how to get secret data from HTTP API with my application role using curl. I tried a few endpoint combinations without success. Retrieving the client token works, but I can't get secret data itself.
I wonder if the API endpoint is correct or if there is another setting in play.
Authentication method
vault auth enable approle
Policy
# File: my_app /etc/vault/my_app.hcl
path "kv/data/foo/*" {
capabilities = ["read", "list"]
}
# Command line
vault policy write my_app /etc/vault/my_app.hcl
Role
vault write auth/approle/role/my_app policies="my_app"
Secret creation
vault kv put kv/data/foo/user#domain.tld password=1234
API call token request
curl --request POST --data '{"role_id": "xxxxxxxxxxxxxxxxx", "secret_id": "xxxxxxxxxxxxxxxxxxxx"}' http://127.0.0.1:8200/v1/auth/approle/login | jq
Result: Token is properly retrieved
API call for secret data request
export VAULT_CLIENT_TOKEN=XXXXXXX
curl --header "X-Vault-Token: $VAULT_CLIENT_TOKEN" --request GET "http://127.0.0.1:8200/v1/kv/data/foo/user#domain.tld"
Result : No secret data retrieved
Output:
{"errors":[]}
CLI call for secret data
vault kv get -field=password kv/data/foo/user#domain.tld
Output:
1234
Global settings
vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_xxxxxxxx per-token private secret storage
identity/ identity identity_xxxxxxxx identity store
kv/ kv kv_xxxxxxxx n/a
sys/ system system_xxxxxxxx system endpoints used for control, policy and debugging

Hashicorp Vault cli return 403 when trying to use kv

I set up vault backed by a consul cluster. I secured it with https and am trying to use the cli on a separate machine to get and set secrets in the kv engine. I am using version 1.0.2 of both the CLI and Vault server.
I have logged in with the root token so I should have access to everything. I have also set my VAULT_ADDR appropriately.
Here is my request:
vault kv put secret/my-secret my-value=yea
Here is the response:
Error making API request.
URL: GET https://{my-vault-address}/v1/sys/internal/ui/mounts/secret/my-secret
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/my-secret/"
I don't understand what is happening here. I am able to set and read secrets in the kv engine no problem from the vault ui. What am I missing?
This was a result of me not reading documentation.
The request was failing because there was no secret engine mounted at that path.
You can check your secret engine paths by running vault secrets list -detailed
This showed that my kv secret engine was mapped to path kv not secret as I was trying.
Therefore running vault kv put kv/my-secret my-value=yea worked as expected.
You can enable secret engine for specific path
vault secrets enable -path=kv kv
https://www.vaultproject.io/intro/getting-started/secrets-engines
You need to update secret/my-secret to whichever path you mounted when you enable the kv secret engine.
For example, if you enable the secret engine like this:
vault secrets enable -version=2 kv-v2
You should mount to kv-v2 instead of secret
vault kv put kv-v2/my-secret my-value=yea

Vault: how to get list of kv secrets

Why am I getting an empty result when I just wrote an secret to a backend:
vault kv write secret/example password=pwd
Success! Data written to: secret/example
However, when I'm trying to get some data from my backend:
vault kv list secret/example
No value found at secret/spring-example/
You don't use list for a single key, you use get.
vault kv list secret/
should list your example key, and
vault kv get secret/example
should display the value of password