VaultSharp:尝试列出机密时的“拒绝权限”

Question

我一直试图通过API简单地列出我的KeyValue库中的秘密，并且我正在使用AppRole auth获得“拒绝许可”。到目前为止我的情况是这样的。

Caller

private async Task RetrieveSecrets()
{
    // Fails here, though it's the actual service method that fails (see below)
    List<string> secrets = (await _vaultService.GetSecretsList()).ToList();
    AvailableSecrets.Clear();
    foreach (string secret in secrets)
    {
        AvailableSecrets.Add(secret);
    }
}

VaultService

internal class VaultService : IVaultService
{
    private IVaultClient _client;

    public VaultService(IOptions<ApplicationSettings> applicationSettings)
    {
        CreateClient(applicationSettings.Value);
    }

    public async Task<IEnumerable<string>> GetSecretsList()
    {
        Secret<ListInfo> secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync("", "secret");
        ListInfo secrets = secret.Data;
        return secrets.Keys;
    }

    private void CreateClient(ApplicationSettings settings, bool forceRecreate = false)
    {
        if (_client == null || forceRecreate)
        {
            // Role authorization
            IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(settings.VaultRoleId, settings.VaultSecretId);
            VaultClientSettings vaultClientsettings = new VaultClientSettings(settings.VaultUrl, authMethod);

            _client = new VaultClient(vaultClientsettings);
        }
    }
}

我已经通过vault kv list secret/命令验证了密钥的存在。输出：

λ vault kv list secret/  
Keys  
----  
creds

我还仔细检查了政策：

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

最后，我使用Postman和下面的http调用验证了RoleId和SecretId (以及正确的传入)：

角色：http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id

秘密：http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id

我已经在这里到处找过了，我甚至尝试用这个在上玩参数：

_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("", "secret") // no dice
_client.V1.Secrets.KeyValue.V2ReadSecretPathsAsync("data", "secret") // also no dice

知道我错过了什么吗？

Answer 1

经过大量的修改后，我终于发现了这个问题:一般情况下的权限问题。

密钥原来在策略文件中，最初是这样的：

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","list"]
}

path "secret/data/foo" {
  capabilities = ["read","list"]
}

首先，第二条路基本上是垃圾。它之所以存在是因为它在我学习教程的时候被复制了。然而，更重要的是:第一条路径不允许我列出元数据。

最后，我将其修改为：

λ vault policy read my-policy
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
  capabilities = ["create", "update","read","list"]
}

path "secret/*" {
  capabilities = ["create","update","read","list"]
}

事实上，它们现在也都有read/create/update/list，这并不是真正重要的部分--我这样做是为了确保我的POC能够做它需要做的一切。这里最重要的部分是需要有list对secret/*的权限。

一旦我更新了政策，AppRole auth就完美地工作了。