我一直试图通过 API 简单地列出我的 KeyValue Vault 中的秘密,并且我使用 AppRole auth 获得“权限被拒绝”。这是我到目前为止所拥有的。
呼叫者
private async Task RetrieveSecrets()
{
// Fails here, though it's the actual service method that fails (see below)
List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
AvailableSecrets.Clear();
foreach (string secret in secrets)
{
AvailableSecrets.Add(secret);
}
}
保险柜服务
internal class VaultService : IVaultService
{
private IVaultClient _client;
public VaultService(IOptions<ApplicationSettings> applicationSettings)
{
CreateClient(applicationSettings.Value);
}
public async Task<IEnumerable<string>> GetSecretsList()
{
Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
ListInfo secrets = secret.Data;
return secrets.Keys;
}
private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
{
if (_client == null || forceRecreate)
{
// Role authorization
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);
_client = new VaultClient(vaultClientsettings);
}
}
}
我已经通过命令验证了密钥确实存在。vault kv list secret/
输出:
λ vault kv list secret/
Keys
----
creds
我还仔细检查了政策:
λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update","list"]
}
path "secret/data/foo" {
capabilities = ["read","list"]
}
最后,我使用 Postman 和以下 http 调用验证了 RoleId 和 SecretId(并且传入了正确的):
角色: http: //127.0.0.1
:8200/v1/auth/approle/role/my-role/role-id
秘密: http: //127.0.0.1 :8200/v1/auth/approle/role/my-role /秘密ID
我一直在这里到处乱摸,我什至试着用这个来玩弄``上的参数:
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice
知道我错过了什么吗?