Search code examples
vaultsharp

Differentiation between the namespace, path, mountpoint, etc

The Hashicorp documentation leaves a lot to be desired when it comes to implementing a solution using .Net and the VaultSharp documentation isn't as comprehensive enough to cover the multitude of scenarios.

We have our Vault setup with a namespace, "egw". We have a KV Secrets Engine enabled with a name of "Expr". We have secrets listed at 3 different paths: "Trans", "Set" and "Serv".

We are unsure how to actually read these secrets as it is UNCLEAR the differentiation between the namespace, path, mountpoint, etc.

The documentation's all over the place and not clear to us on any of these terms and the sample apps are useless to us due to the wrong auth methods.

We are using LDAP Auth Method so we can login to our server without issues, it's just getting to the secrets that we're having issues with.

Can someone, please, explain to us how to read these secrets using VaultSharp?

Update: We currently do NOT have roles created or assigned.

Can someone, please, help me to understand why this code fails to either list the paths OR fetch the secrets? Am I doing something incorrectly or just not understanding how it needs to be done?

IAuthMethodInfo authMethod = new LDAPAuthMethodInfo(_settings.LDAPUserName, _settings.LDAPPassword);
var vaultClientSettings = new VaultClientSettings(_settings.Address, authMethod);

IVaultClient vaultClient = new VaultClient(vaultClientSettings);

Secret<ListInfo> secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("egw/Expr/data/");
ListInfo paths = secret.Data;

Secret<SecretData>? kv2Secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: "Expr/data/Trans", mountPoint:"egw/");
Dictionary<string, object> dataDictionary = kv2Secret.Data.Data;

This is the error message and StackTrace I am getting:

Message: 
    Newtonsoft.Json.JsonReaderException : Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

  Stack Trace: 
    JsonTextReader.ParseValue()
    JsonReader.ReadAndMoveToContent()
    JsonReader.ReadForType(JsonContract contract, Boolean hasConverter)
    JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
    JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
    JsonSerializer.Deserialize(JsonReader reader, Type objectType)
    JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
    JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
    JsonConvert.DeserializeObject[T](String value)
    Polymath.MakeRequestAsync[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, IDictionary`2 headers, Boolean rawResponse, Action`1 postResponseAction)
    Polymath.MakeVaultApiRequest[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Action`1 postResponseAction, String wrapTimeToLive, Boolean unauthenticated)
    LDAPAuthMethodLoginProvider.GetVaultTokenAsync()
    Polymath.MakeVaultApiRequest[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Action`1 postResponseAction, String wrapTimeToLive, Boolean unauthenticated)
    Polymath.MakeVaultApiRequest[TResponse](String mountPoint, String path, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Action`1 postResponseAction, String wrapTimeToLive, Boolean unauthenticated)
    KeyValueSecretsEngineV2Provider.ReadSecretAsync(String path, Nullable`1 version, String mountPoint, String wrapTimeToLive)

Update2: Found that using LDAP AuthMethod isn't working correctly, not sure if it's the way it's setup on the Vault or what. Began using the Token and was able to read the secrets but when trying to list them, I get permission denied

Solution

  • Namespaces provide a way for your Vault service to be fully self-managed. This is more an administrative detail than a programming detail, and you can largely disregard that. Ultimately, you just need to know what your namespace is called.

    Your secrets engine is where the secrets actually reside, and how they are stored. For most cases, you're using a KV (key-value) secrets engine, version 2.

    The paths you list just describe locations where your secrets reside in your secrets engine.

    So with the information you've given:

    • Namespace is egw
    • Secrets engine is KV with name of Expr
    • Paths exist at Trans, Set, and Serv

    ...you'd probably be referencing it from these paths. Note that KV secrets engines store their values at the data/ path, so you have to include that after you request from the secrets engine.

    • egw/Expr/data/Trans
    • egw/Expr/data/Set
    • egw/Expr/data/Serv

    As an access note: You're really going to want to consider using an AppRole to access these secrets if you're doing machine-to-machine communication. Doing all of that with LDAP is going to be complex and relies on LDAP and Vault being alive versus with AppRoles, which only needs Vault to be alive, and allows for very fine-grained access to secrets.