1

我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,并且我使用 AppRole auth 获得“权限被拒绝”。这是我到目前为止所拥有的。

呼叫者

private async Task RetrieveSecrets()
{
    // Fails here, though it's the actual service method that fails (see below)
    List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
    AvailableSecrets.Clear();
    foreach (string secret in secrets)
    {
        AvailableSecrets.Add(secret);
    }
}

保险柜服务

internal class VaultService : IVaultService
{
    private IVaultClient _client;

    public VaultService(IOptions<ApplicationSettings> applicationSettings)
    {
        CreateClient(applicationSettings.Value);
    }

    public async Task<IEnumerable<string>> GetSecretsList()
    {
        Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
        ListInfo secrets = secret.Data;
        return secrets.Keys;
    }

    private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
    {
        if (_client == null || forceRecreate)
        {
            // Role authorization
            IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
            VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);

            _client = new VaultClient(vaultClientsettings);
        }
    }
}

我已经通过命令验证了密钥确实存在。vault kv list secret/输出:

λ vault kv list secret/  
Keys  
----  
creds

我还仔细检查了政策:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且传入了正确的):

角色: http: //127.0.0.1
:8200/v1/auth/approle/role/my-role/role-id 秘密: http: //127.0.0.1 :8200/v1/auth/approle/role/my-role /秘密ID

我一直在这里到处乱摸,我什至试着用这个来玩弄``上的参数:

_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice

知道我错过了什么吗?

4

1 回答 1

0

经过大量的修补,我终于找到了问题:一般来说是权限问题。

原来密钥在策略文件中,原来是这样的:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

对于初学者来说,第二条路径基本上是垃圾。它在那里是因为当我遵循教程时它被复制了。不过,更重要的是:第一条路径不允许我列出元数据。

最终我将其更改为以下内容:

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","read","list"]
}

path "secret/*" {
  capabilities = ["create","update","read","list"]
}

他们现在都拥有的事实read/create/update/list并不是这里真正重要的部分——我这样做是为了确保我的 POC 可以做它需要做的一切。这里的重要部分是需要listsecret/*.

一旦我更新了策略,AppRole 身份验证就可以完美运行。

于 2021-03-08T22:45:49.190 回答