错误
System.Exception: Vault配置失败。发生了一个或多个错误。({"errors":["1 error occurred:\n\t* permission denied\n\n"]} ) at VaultConnection.VaultExtensions.AddVaultKeys. GetValutKeyValuePairs(IConfiguration buildConfig) in C:Users/48013/Source/Repos/sample/Vault1/VaultConnection/VaultExtensions/AddVaultKeys.cs:第67行 at VaultConnection.Startup.ConfigureServices(IServiceCollection services) in VaultConnection.Startup.ConfigureServices(IServiceCollection services).
概要
使用AppRoleAuthMethodInfo方法从Hashicorp Vault读取密钥值,结果我--权限拒绝错误。下面提到一小段代码来描述这个问题。
以下是代码片段。
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);
var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);
IVaultClient vaultClient = new VaultClient(VaultClientSettings);
// Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync(buildConfig["vault:path"])
.Result.Data;
---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........
DisplayJson(callingTokenInfo) 输出
这个令牌的输出是-{"request_id": "e5e71c03-6972-12ff-9e30-d42c8e2f188a", "lease_id":"", "released":false, "lease_duration":0, "data":{"accessor".FuLTEKwYmJ2IGZyDwvCmJ1Vm", "explicit_max_ttl":0, "released":true, "create_time":1591617: "FuLTEKwYmJ2IGZyDwvCmJ1Vm", "explicit_max_ttl":0, "released":true, "create_time":1591617019, "create_ttl":2764800, "orphan":true, "ttl":2764799, "type": "service", "id": "s. 6 GJMAbWxQU82cm1K7ajcSgv5", "policy":["default", "sqlconnection"], "meta":{"role_name": "sqlconnectionrole"}, "path": "authapprolelogin", "display_name": "approle", "num_uses":0, "entity_id": "811d33f-e9e5-ac4e-3fbf-9809c0a85b3d", "expire_time": "2020-07-10T17:20:19. 2386078+05:30", "identity_policies":null, "issue_time": "2020-06-08T17:20:19.2386078+05:30"}, "wrap_info":null, "warings":null, "auth":null}。
除此以外,创建策略和与角色关联的步骤是
1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection
path "devkv*" { capabilities = ["create", "read", "update", "delete", "list"] }。
path "devkvappId*" { capabilities = ["create", "read", "update", "delete", "list"] }。
5. vault auth enable approle
6. vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id
If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"
为步骤-9执行的命令的输出
Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.
> PS C:\WINDOWS\system32> vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-3cde-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29bef0"
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 768h
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
> PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I
> WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
> over the value set by this command. To use the value set by this command,
> unset the VAULT_TOKEN environment variable or set it to the token displayed
> below.
>
> Success! You are now authenticated. The token information displayed below
> is already stored in the token helper. You do NOT need to run "vault login"
> again. Future Vault requests will automatically use this token.
>
> Key Value
> --- -----
> token s.g5NfR7DJLSD9hp1amXCvp92I
> token_accessor u5raQKxARuAjluywS1SatFuy
> token_duration 767h59m35s
> token_renewable true
> token_policies ["default" "sqlconnection"]
> identity_policies []
> policies ["default" "sqlconnection"]
> token_meta_role_name sqlconnectionrole
>
> PS C:\WINDOWS\system32> vault kv get devkv/connection
> ===== Data =====
> Key Value
> source DATA
> timeout 120
>
你的挂载点和key-path混在一起了。将它们分开如下。
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
.ReadSecretAsync("connection", "devkv").Result.Data;