0

错误

System.Exception:保管库配置失败:发生一个或多个错误。({"errors":["1 error occurred:\n\t* permission denied\n\n"]} ) 在 C:\Users\48013\Source\Repos 的 VaultConnection.VaultExtensions.AddVaultKeys.GetValutKeyValuePairs(IConfiguration buildConfig) \sample\Vault1\VaultConnection\VaultExtensions\AddVaultKeys.cs: VaultConnection.Startup.ConfigureServices(IServiceCollection services) 中的第 67 行

概括

使用 AppRoleAuthMethodInfo 方法从 Hashicorp Vault 读取键值会导致我 - 权限被拒绝错误。下面提到的一小段代码用于描述问题。

这是代码片段:

IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);

var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);

IVaultClient vaultClient = new VaultClient(VaultClientSettings);

 // Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;

var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
                        .ReadSecretAsync(buildConfig["vault:path"])
                        .Result.Data;

---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........

DisplayJson(callingTokenInfo) 输出

这个令牌的输出是 - {"request_id":"e5e71c03-6972-12ff-9e30-d42c8e2f188a","lease_id":"","re​​newable":false,"lease_duration":0,"data":{"accessor" :"FuLTEKwYmJ2IGZyDwvCmJ1Vm","explicit_max_ttl":0,"renewable":true,"creation_time":1591617019,"creation_ttl":2764800,"orphan":true,"ttl":2764799,"type":"service"," id":"s.6GJMAbWxQU82cm1K7ajcSgv5","policies":["default","sqlconnection"],"meta":{"role_name":"sqlconnectionrole"},"path":"auth/approle/login"," display_name":"approle","num_uses":0,"entity_id":"811d33fe-e9e5-ac4e-3fbf-9809c0a85b3d","expire_time":"2020-07-10T17:20:19.2386078+05:30","identity_policies":null,"issue_time":"2020-06-08T17:20: 19.2386078+05:30"},"wrap_info":null,"warnings":null,"auth":null}

除此之外,创建策略和与角色关联的步骤


1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection

路径“devkv/*”{ 能力 = [“创建”、“读取”、“更新”、“删除”、“列表”] }

路径“devkv/appId*”{ 能力 = [“创建”、“读取”、“更新”、“删除”、“列表”] }

5. vault auth enable approle
6.  vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id

If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"


为步骤 -9 执行的命令的输出

Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.
> PS C:\WINDOWS\system32> vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-3cde-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29bef0"
> Key                     Value
> ---                     -----
> token                   s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor          u5raQKxARuAjluywS1SatFuy
> token_duration          768h
> token_renewable         true
> token_policies          ["default" "sqlconnection"]
> identity_policies       []
> policies                ["default" "sqlconnection"]
> token_meta_role_name    sqlconnectionrole
> PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I
> WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
> over the value set by this command. To use the value set by this command,
> unset the VAULT_TOKEN environment variable or set it to the token displayed
> below.
> 
> Success! You are now authenticated. The token information displayed below
> is already stored in the token helper. You do NOT need to run "vault login"
> again. Future Vault requests will automatically use this token.
> 
> Key                     Value
> ---                     -----
> token                   s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor          u5raQKxARuAjluywS1SatFuy
> token_duration          767h59m35s
> token_renewable         true
> token_policies          ["default" "sqlconnection"]
> identity_policies       []
> policies                ["default" "sqlconnection"]
> token_meta_role_name    sqlconnectionrole
> 
> PS C:\WINDOWS\system32> vault kv get devkv/connection
> ===== Data =====
> Key        Value
> source     DATA
> timeout    120

>
4

1 回答 1

0

您的挂载点与密钥路径混为一谈。将它们分开如下:

var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
   .ReadSecretAsync("connection", "devkv").Result.Data;           

于 2020-06-15T12:25:04.157 回答