I am trying to connect to hvault using python with self signed cert. I wrote code something like below
client = hvac.Client(url='https://localhost:8203', cert=('hv.crt','hv.key'),verify=False)
client.is_authenticated()
client.secrets.kv.v2.read_secret(mount_point="secret", path='test')
However, it fails with error
False
>>> client.secrets.kv.v2.read_secret(mount_point="secret", path='test')
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:999: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/api/secrets_engines/kv_v2.py", line 98, in read_secret
return self.read_secret_version(
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/api/secrets_engines/kv_v2.py", line 153, in read_secret_version
return self._adapter.get(
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/adapters.py", line 110, in get
return self.request("get", url, **kwargs)
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/adapters.py", line 372, in request
response = super().request(*args, **kwargs)
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/adapters.py", line 340, in request
self._raise_for_error(method, url, response)
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/adapters.py", line 258, in _raise_for_error
utils.raise_for_error(
File "/opt/uptycs/.local/lib/python3.8/site-packages/hvac/utils.py", line 41, in raise_for_error
raise exceptions.VaultError.from_status(
hvac.exceptions.Forbidden: permission denied, on get https://localhost:8203/v1/secret/data/test
When I run same code with token it works
client = hvac.Client(url='https://localhost:8203',token='hvs.XXXXXXXX')
client.is_authenticated()
client.secrets.kv.v2.read_secret(mount_point="secret", path='test')
o/p
True
{'request_id': 'fd211543-225f-58d6-4d87-112bec5698b9', 'lease_id': '', 'renewable': False, 'lease_duration': 2764800, 'data': {'data': {'test': 'a'}}, 'wrap_info': None, 'warnings': None, 'auth': None}
Even the shell execution is returning the results
curl -s -k --header "X-Vault-Token:$(curl -s -k --request POST --cacert cacert.pem --cert hv.crt --key hv.key https://localhost:8203/v1/auth/cert/login | jq -r .auth.client_token)" --request GET https://localhost:8203/v1/secret/data/test |jq -r .data.data[]
I went through link but there is no defination of the load_vault_token across internet for self signed there is one for ec2
Any suggestion?
So finally I was able to get it working
client = hvac.Client(url='https://localhost:8203', cert=('hv.crt','hv.key'),verify=False)
client.login("/v1/auth/cert/login")
if not client.is_authenticated():
error_msg = 'Unable to authenticate to the Vault service'
raise hvac.exceptions.Unauthorized(error_msg)
client.secrets.kv.v2.read_secret(mount_point="secret", path='test')
Thanks @EDG956 for help