Why am I getting an empty result when I just wrote an secret to a backend:
vault kv write secret/example password=pwd
Success! Data written to: secret/example
However, when I'm trying to get some data from my backend:
vault kv list secret/example
No value found at secret/spring-example/
You don't use list for a single key, you use get.
vault kv list secret/
should list your example key, and
vault kv get secret/example
should display the value of password
Related
I am trying to add file content in vault using vault kv put but I am unable to add data in vault
vault kv put -format=json -address ${VAULT_ADDR} key=#abc.json
Here the error says "Must supply data"
I also tried various other options like -
vault kv put -format=json -address ${VAULT_ADDR} key #abc.json
Here key is being added into vault address url e.g vault-address/key
&
vault kv put -format=json -address ${VAULT_ADDR} #abc.json
Here error says "Must supply data"
My Json file is sample test file and has following content in it
{
"key": "value",
"foo": "bar",
"bar": "baz"
}
Can someone please help me solving this issue?
You can directly create secret without -format=json. The below command worked for me.
vault kv put app/dev/test #test.json
I have a scenario for using Azure Key vault.
I have stored a refresh token in Key Vault. Retrieved the token from key vault in ADF using the web activity. Call the service provider endpoint to generate the Access Token based on refresh token.
I want to store above generated Access token from ADF to Key Vault. How Can i do that?
I went through many articles but did not find any solution on storing the information generated in ADF to Key Vault.
Any help is much appreciated.
Thanks
You can make Rest API call from Azure Data Factory using web activity to store secret in to Azure Key Vault.
Here is the link for Rest API reference:
Sets a secret in a specified key vault.
The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.
Set Secret - REST API (Azure Key Vault)
Learn more about [Key Vault Set Secret Operations].
My HashiCorp vault instance is runnning properly on CentOS7. I enabled AppRole authentication, created a policy and a role, enabled secret engine and created a secret for a client application.
I can retrieve the secret data using root CLI but I can't figure out how to get secret data from HTTP API with my application role using curl. I tried a few endpoint combinations without success. Retrieving the client token works, but I can't get secret data itself.
I wonder if the API endpoint is correct or if there is another setting in play.
Authentication method
vault auth enable approle
Policy
# File: my_app /etc/vault/my_app.hcl
path "kv/data/foo/*" {
capabilities = ["read", "list"]
}
# Command line
vault policy write my_app /etc/vault/my_app.hcl
Role
vault write auth/approle/role/my_app policies="my_app"
Secret creation
vault kv put kv/data/foo/user#domain.tld password=1234
API call token request
curl --request POST --data '{"role_id": "xxxxxxxxxxxxxxxxx", "secret_id": "xxxxxxxxxxxxxxxxxxxx"}' http://127.0.0.1:8200/v1/auth/approle/login | jq
Result: Token is properly retrieved
API call for secret data request
export VAULT_CLIENT_TOKEN=XXXXXXX
curl --header "X-Vault-Token: $VAULT_CLIENT_TOKEN" --request GET "http://127.0.0.1:8200/v1/kv/data/foo/user#domain.tld"
Result : No secret data retrieved
Output:
{"errors":[]}
CLI call for secret data
vault kv get -field=password kv/data/foo/user#domain.tld
Output:
1234
Global settings
vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_xxxxxxxx per-token private secret storage
identity/ identity identity_xxxxxxxx identity store
kv/ kv kv_xxxxxxxx n/a
sys/ system system_xxxxxxxx system endpoints used for control, policy and debugging
I set up vault backed by a consul cluster. I secured it with https and am trying to use the cli on a separate machine to get and set secrets in the kv engine. I am using version 1.0.2 of both the CLI and Vault server.
I have logged in with the root token so I should have access to everything. I have also set my VAULT_ADDR appropriately.
Here is my request:
vault kv put secret/my-secret my-value=yea
Here is the response:
Error making API request.
URL: GET https://{my-vault-address}/v1/sys/internal/ui/mounts/secret/my-secret
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/my-secret/"
I don't understand what is happening here. I am able to set and read secrets in the kv engine no problem from the vault ui. What am I missing?
This was a result of me not reading documentation.
The request was failing because there was no secret engine mounted at that path.
You can check your secret engine paths by running vault secrets list -detailed
This showed that my kv secret engine was mapped to path kv not secret as I was trying.
Therefore running vault kv put kv/my-secret my-value=yea worked as expected.
You can enable secret engine for specific path
vault secrets enable -path=kv kv
https://www.vaultproject.io/intro/getting-started/secrets-engines
You need to update secret/my-secret to whichever path you mounted when you enable the kv secret engine.
For example, if you enable the secret engine like this:
vault secrets enable -version=2 kv-v2
You should mount to kv-v2 instead of secret
vault kv put kv-v2/my-secret my-value=yea
I've created this secret backend:
$ vault secrets enable -path=openshift kv
$ vault write openshift/postgresql username=tdevhub
$ vault write openshift/postgresql password=password
I don't quite figure out how to read username and password values.
I've tried with:
$ vault read openshift/postgresql/password
or
$ vault kv get openshift/post...
By other hand, when I perform this command line:
$ vault kv get openshift/postgresql
====== Data ======
Key Value
--- -----
username tdevhub
I'd like to store username and password into a secret backend. I've realized that a kv secret backend only is able to store one key... is it right?
How could I get my goal?
you can read secrets using
vault kv get -field=password openshift/postgresql
or
vault kv get -field=username openshift/postgresql
You can store multiple data with a command like this vault write openshift/postgresql username=tdevhub password=password. When you will read at that location both username and password values will be returned.
Unfortunately, you can't append data to the same location, so when you execute the write again on that path the previous values will be overwritten. If you want to append data later, you have two choice:
Read your data each time you need to add a value, and append it manually
Use the KV Version 2 of Vault Key/Value secret engine
You can use the flags -format json and -field=data to get all the data under a given key properly formatted in JSON. This also filters out the extra details.
vault kv get -format json -field=data openshift/postgresql
The output you would get is -
{
"username": "tdevhub",
"password": "password"
}