@cellisten May I ask you about how do you secure vault tokens in your project? Our Vault Auth Tokens are set to expire every 8hours, so we have to fetch new token programmatically.
So for the next time when the token expired, do we need to enter our access credentials and fetch new token?
Hey guys, need help on this, please!
I m facing the below error when I try to connect and read a value from Vault. Please help.
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool Max retries exceeded with url: /xyz Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)
Code
import hvac
client = hvac.Client(url=addr, verify=True, cert=(truststore file, keystore file))
client.read(path)
environment: Redhat 7 Linux
Python 3.6
hvac 0.10.5
credentials =boto3.Session().get_credentials()
client=hvac.Client(url=os.environ[VAULT_ADDR],namaspace=os.environ[VAULT_NAMESPACE],verify=False)
InvalidRequest: Token is missing on post......
Hi, I'm trying to call the hvac client from AWS Lambda on a non-default region ('eu-west-1' ).
The following code will generate this error: Credential should be scoped to a valid region, not 'eu-west-1'
import hvac
import os
def get_credentials():
response = {
'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
'session_token': os.getenv("AWS_SESSION_TOKEN")
}
return response
client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
)
That error makes sense, since my function isn't on aws default region. According documentation here : https://hvac.readthedocs.io/en/latest/usage/auth_methods/aws.html#caveats-for-non-default-aws-regions
using the client.auth.aws.configure
prior to the client.auth_aws_iam
should do the trick, so I tried the following:
import hvac
import os
def get_credentials():
response = {
'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
'session_token': os.getenv("AWS_SESSION_TOKEN")
}
return response
client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth.aws.configure(access_key=credentials['access_key'], secret_key=credentials['secret_key'], endpoint=f'https://sts.{os.environ.get('REGION_NAME')}.amazonaws.com')
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
)
which apparently fails when trying to configure because of the following error missing client token
, I went through the actual function and wasn't sure where the client token should go, as this function does not require a token.
Not really sure what to do here, any ideas?
@GalKrispel-code
missing client token
error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126
Note client.auth.aws.configure
method makes API call to vault endpoint v1/auth/aws/config
. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.
But login request client.auth_aws_iam
don't require X-Vault-Token
header.
For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.
payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client
Then use Lambda function to call client.auth_aws_iam
without any token as input.
Hope It helps
def main():
client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path))
client.is_authenticated()
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))
vault login
with token above no problem
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))