Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 16 16:01
    git-chakra commented #349
  • Jan 16 15:52
    git-chakra commented #349
  • Jan 16 05:53
    meet101 commented #349
  • Jan 16 05:00
    git-chakra commented #349
  • Jan 15 22:37
    Travis hvac/hvac (master) passed (1850)
  • Jan 14 17:22
    Travis hvac/hvac (develop) passed (1849)
  • Jan 14 17:00
    jeffwecan labeled #644
  • Jan 14 17:00
    jeffwecan assigned #644
  • Jan 12 21:49
    ardichoke opened #660
  • Jan 11 21:22
    ramsayza commented #564
  • Jan 11 21:22
    ramsayza commented #564
  • Jan 11 17:08
    sodul commented #652
  • Jan 11 16:08
    jeffwecan assigned #659
  • Jan 11 16:08
    jeffwecan commented #659
  • Jan 11 16:06
    jeffwecan commented #659
  • Jan 11 12:21
    MisguidedEmails opened #659
  • Jan 11 12:21
    MisguidedEmails commented #652
  • Jan 08 21:58
    Travis hvac/hvac (master) passed (1848)
  • Jan 07 17:37
    Travis hvac/hvac (develop) passed (1847)
  • Jan 05 21:29
    jeffwecan labeled #658
Balder Lindblom
@cellisten
@Rammurthy5 depends on what token you want to renew, the calling token (self) or another token (without self)
RAMMURTY S
@Rammurthy5
@cellisten thanks. .

@cellisten May I ask you about how do you secure vault tokens in your project? Our Vault Auth Tokens are set to expire every 8hours, so we have to fetch new token programmatically.

So for the next time when the token expired, do we need to enter our access credentials and fetch new token?

Balder Lindblom
@cellisten
@Rammurthy5 I prefer tokens with shorter expiry and then I copy a token from the GUI when needed. For automated tasks I use app roles rather than tokens for access
RAMMURTY S
@Rammurthy5
@cellisten Can you elaborate a bit more on "For automated tasks I use app roles rather than tokens for access"
Balder Lindblom
@cellisten
Do you know what app roles are?
RAMMURTY S
@Rammurthy5
Sorry, no
Balder Lindblom
@cellisten
There are several authentication methods in the Vault. Ldap, Kubernetes service accounts, app roles and tokens to name a few. Use the one most suited for the task at hand
RAMMURTY S
@Rammurthy5
@cellisten thanks. .
Balder Lindblom
@cellisten
FrankSD
@FrankSD
can anyone please help?i am using vault with AWS........but everytime i try to log in .i keep getting missing TOKEN buti could see the TOKEN when i print on console
Balder Lindblom
@cellisten
@FrankSD please provide more context. What is the actual command you are running?
RAMMURTY S
@Rammurthy5

Hey guys, need help on this, please!
I m facing the below error when I try to connect and read a value from Vault. Please help.

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool Max retries exceeded with url: /xyz Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)
Code

import hvac
client = hvac.Client(url=addr, verify=True, cert=(truststore file, keystore file))
client.read(path)

environment: Redhat 7 Linux
Python 3.6
hvac 0.10.5

FrankSD
@FrankSD
@cellisten i am using the code below:
``` credentials= boto3.Session().get_credentials()
credentials =boto3.Session().get_credentials()
client=hvac.Client(url=os.environ[VAULT_ADDR],namaspace=os.environ[VAULT_NAMESPACE],verify=False)
FrankSD
@FrankSD
client.auth.aws.iam_login(credentials .access_key, credentials .secrect_key,session_token=credentials.token,role="ROLE_NAME")
I am getting InvalidRequest: Token is missing on post......
Can anyone please help?thanks
Balder Lindblom
@cellisten
Do you get any output when printing your credentials?
FrankSD
@FrankSD
@cellisten yes i do
Balder Lindblom
@cellisten
When checking out the documentation, role doesn't seem to be used with the boto3 session:
https://hvac.readthedocs.io/en/stable/usage/auth_methods/aws.html#boto3-session
could you also try either using specifying all input variables(access_key =, secret_key = and session_token =) or none (as per the documentation)
Gal Krispel
@GalKrispel-code

Hi, I'm trying to call the hvac client from AWS Lambda on a non-default region ('eu-west-1' ).
The following code will generate this error: Credential should be scoped to a valid region, not 'eu-west-1'

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

That error makes sense, since my function isn't on aws default region. According documentation here : https://hvac.readthedocs.io/en/latest/usage/auth_methods/aws.html#caveats-for-non-default-aws-regions
using the client.auth.aws.configure prior to the client.auth_aws_iam should do the trick, so I tried the following:

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth.aws.configure(access_key=credentials['access_key'],  secret_key=credentials['secret_key'], endpoint=f'https://sts.{os.environ.get('REGION_NAME')}.amazonaws.com')
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

which apparently fails when trying to configure because of the following error missing client token , I went through the actual function and wasn't sure where the client token should go, as this function does not require a token.

Not really sure what to do here, any ideas?

powellquiring
@powellquiring
i'm a newbie, using 0.10.5, Client.is_initialized() is deprecated? suggests using api.SystemBackend? Which takes an adapter as a param? What is an adapter? TIA
Jayaprakash Reddy
@JUSTPERFECT

@GalKrispel-code

missing client token error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126

Note client.auth.aws.configure method makes API call to vault endpoint v1/auth/aws/config. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.

But login request client.auth_aws_iam don't require X-Vault-Token header.

For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.

payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client

Then use Lambda function to call client.auth_aws_iam without any token as input.

Hope It helps

Gal Krispel
@GalKrispel-code
@JUSTPERFECT thanks! I actually realized that right after I posted this question, got this one working , thanks again!
Greg Maxwell
@gmaxwell94
Need help on how to do the following in hvac.
vault write auth/ldap/groups/tools policies=aws
is this just writing a secret?
Also is there some way to change the default policy for ldap at configurations?
Balder Lindblom
@cellisten
What do you mean by default policy at configuration?
Vox1984
@Vox1984
Hi, I am new to hvac. I am trying just to connect to vault
def main(): client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path)) client.is_authenticated()
I get exception for code snippet above:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))
Any idea whats wrong? bad cert? Should i enable something on vault server side?
I can login with vault login with token above no problem
Vox1984
@Vox1984
Using no certificate and just url and VAULT_TOKEN results in:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
FrankSD
@FrankSD
@Vox1984 did you check certificates configuration on the server?
i really do not think this has anything to do with hvac
Vox1984
@Vox1984
thats strange, I use the same certs for tls as server.
I can connect to port no problem with telnet
but I have still
Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))
Dustin Heywood
@evilmog
Hey folks, quick question, how hard would it be to extend hvac to support SSH-CA https://www.vaultproject.io/api/secret/ssh and https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates
right now I'm doing super dirty automation with python and making the json directly but it might be handy, or it might be supported and I'm just missing it
joshuak2018
@joshuak2018
Hello
I am having an issue where I try to authenticate with kubernetes with setting useToken to false and it is still trying to use the token to authenticate