I'm trying to read secrets from vault using python. Having some security issues:
I can confirm authentication is working
client = hvac.Client(url=vault_url)
client.auth.aws.iam_login(credentials.access_key, credentials.secret_key, credentials.token)
print(client.is_authenticated())
but reading a secret is not working:
I tried:
response = client.secrets.kv.v2.read_secret_version( path='kv-v2/lambda-function')
and:
response = client.secrets.kv.v2.read_secret_version( path='lambda-function')
and:
secret = 'kv-v2/lambda-function'
mount_point, secret_path = secret.split('/', 1)
response = client.secrets.kv.v2.read_secret_version(
mount_point=mount_point, path=secret_path)
all yield
[ERROR] Forbidden: 1 error occurred:
* permission denied
the following policy is in place:
path "kv-v2/lambda-function/*" {
capabilities = ["read"]
}
but I've also tried:
path "kv-v2/data/lambda-function/*" {
capabilities = ["read"]
}
the policy is linked to the auth:
vault write auth/aws/role/role... \
auth_type=iam \
bound_iam_principal_arn="arn:.."
policies=lambda-function \
ttl=5m
and in the Vault console I can read the secret like this:
vault kv get kv-v2/lambda-function
What am I doing wrong?
Okay, after a bit further experimentation it turns out that the correct policy is:
path "kv-v2/+/lambda-function*" {
capabilities = ["read","list"]
}
and the correct hvac calls are:
response = client.secrets.kv.v2.list_secrets(
mount_point='kv-v2', path='/')
response = client.secrets.kv.v2.read_secret_version(
mount_point='kv-v2', path='/lambda-function')
All dandy now.