Hashicorp Vaultsharp权限被拒绝错误

Question

误差

System.Exception:保险库配置失败:发生了一个或多个错误。({“错误”：“1发生错误：\n\t*权限拒绝\n\n”})( VaultConnection.VaultExtensions.AddVaultKeys.GetValutKeyValuePairs(IConfiguration buildConfig) )

摘要

使用AppRoleAuthMethodInfo方法从Hashicorp读取键值会导致me -权限拒绝错误.下面提到的一小段代码来描述这个问题。

这里是代码片段:

IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);

var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);

IVaultClient vaultClient = new VaultClient(VaultClientSettings);

 // Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;

var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
                        .ReadSecretAsync(buildConfig["vault:path"])
                        .Result.Data;

---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........

DisplayJson(callingTokenInfo)输出

此令牌的{"request_id":"e5e71c03-6972-12ff-9e30-d42c8e2f188a"，"lease_id":"“、”可再生“：false、"lease_duration":0、"data":{"accessor":"FuLTEKwYmJ2IGZyDwvCmJ1Vm"，"explicit_max_ttl":0、”可再生“：true、"creation_time":1591617019、"creation_ttl":2764800、”孤儿“：true、"ttl":2764799、"type":"service"，“id”：“s.6GJAbWxQU82cm1K7ajcSgv 5”，“策略”：“默认”，"sqlconnection"，"meta":{"role_name":"sqlconnectionrole"}，“path”：“auth/null/login”，“display_name”：“null”，"num_uses":0，identity_policies:null，"issue_time":"2020-06-08T17:20:19.2386078+05:30"}，"wrap_info":null，“警告”：null，"auth":null}

除此之外，还有创建策略和与角色关联的步骤。

1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection

路径"devkv/*“{= "create”、"read“、"update”、"delete“、"list”}

路径"devkv/appId*“{ capabilities = "create”、"read“、"update”、"delete“、"list”}

5. vault auth enable approle
6.  vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id

If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"

第9步执行的命令的输出

Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.
> PS C:\WINDOWS\system32> vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-3cde-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29bef0"
> Key                     Value
> ---                     -----
> token                   s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor          u5raQKxARuAjluywS1SatFuy
> token_duration          768h
> token_renewable         true
> token_policies          ["default" "sqlconnection"]
> identity_policies       []
> policies                ["default" "sqlconnection"]
> token_meta_role_name    sqlconnectionrole
> PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I
> WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
> over the value set by this command. To use the value set by this command,
> unset the VAULT_TOKEN environment variable or set it to the token displayed
> below.
> 
> Success! You are now authenticated. The token information displayed below
> is already stored in the token helper. You do NOT need to run "vault login"
> again. Future Vault requests will automatically use this token.
> 
> Key                     Value
> ---                     -----
> token                   s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor          u5raQKxARuAjluywS1SatFuy
> token_duration          767h59m35s
> token_renewable         true
> token_policies          ["default" "sqlconnection"]
> identity_policies       []
> policies                ["default" "sqlconnection"]
> token_meta_role_name    sqlconnectionrole
> 
> PS C:\WINDOWS\system32> vault kv get devkv/connection
> ===== Data =====
> Key        Value
> source     DATA
> timeout    120

>

Answer 1

你的坐骑和关键路线混在一起了。将它们分开如下：

var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
   .ReadSecretAsync("connection", "devkv").Result.Data;