I keep trying to simply list the secrets in my KeyValue Vault via API and I'm getting "permission denied" using AppRole auth. Here's what I have so far.
Caller
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
VaultService
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
I've verified that keys do exist via the vault kv list secret/ command. Output:
λ vault kv list secret/
Keys
----
creds
I've also double-checked the policy:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
Finally, I verified the RoleId and SecretId (and that the right one is getting passed in) using Postman and the following http calls:
Role: http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id
Secret: http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id
I've been poking all over the place here, and I even tried playing around with the parameters on `` with this:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
Any idea what I'm missing?
After a lot of tinkering around, I finally found the problem: a permissions issue in general.
The key turned out to be in the policy file, which was originally this:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
For starters, the second path was basically junk. It was there because it got copied when I followed a tutorial. More importantly, though: the first path would not let me list metadata.
Ultimately I changed it to the following:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","read","list"]
}
path "secret/*" {
capabilities = ["create","update","read","list"]
}
The fact that they both now also have read/create/update/list isn't really the important part here -- I did that to make sure my POC could do everything it needed to. The important part here was that there needed to be list permissions on secret/*.
Once I updated the policy, AppRole auth worked perfectly.