hvac/community

Jayaprakash Reddy

@JUSTPERFECT

@GalKrispel-code

missing client token error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126

Note client.auth.aws.configure method makes API call to vault endpoint v1/auth/aws/config. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.

But login request client.auth_aws_iam don't require X-Vault-Token header.

For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.

payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client

Then use Lambda function to call client.auth_aws_iam without any token as input.

Hope It helps

Gal Krispel

@GalKrispel-code

@JUSTPERFECT thanks! I actually realized that right after I posted this question, got this one working , thanks again!

Greg Maxwell

@gmaxwell94

Need help on how to do the following in hvac.

vault write auth/ldap/groups/tools policies=aws

is this just writing a secret?

Also is there some way to change the default policy for ldap at configurations?

Balder Lindblom

@cellisten

What do you mean by default policy at configuration?

Vox1984

@Vox1984

Hi, I am new to hvac. I am trying just to connect to vault

def main():
    client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path))
    client.is_authenticated()

I get exception for code snippet above:

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))

Any idea whats wrong? bad cert? Should i enable something on vault server side?

I can login with vault login with token above no problem

Vox1984

@Vox1984

Using no certificate and just url and VAULT_TOKEN results in:

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

FrankSD

@FrankSD

@Vox1984 did you check certificates configuration on the server?

i really do not think this has anything to do with hvac

Vox1984

@Vox1984

thats strange, I use the same certs for tls as server.

I can connect to port no problem with telnet

but I have still

Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))

Dustin Heywood

@evilmog

Hey folks, quick question, how hard would it be to extend hvac to support SSH-CA https://www.vaultproject.io/api/secret/ssh and https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates

right now I'm doing super dirty automation with python and making the json directly but it might be handy, or it might be supported and I'm just missing it

joshuak2018

@joshuak2018

Hello

I am having an issue where I try to authenticate with kubernetes with setting useToken to false and it is still trying to use the token to authenticate

Jacob Floyd

@cognifloyd

I need to write unit tests for a stackstorm-vault a simple wrapper around hvac. My pull request for that project just migrates from deprecated hvac APIs to the latest APIs: StackStorm-Exchange/stackstorm-vault#17
Does hvac have anything that could simplify writing these tests? A mock vault or something?

cognifloyd (Jacob Floyd)

@cognifloyd:matrix.org

[m]

testing the matrix bridge

It looks like there is some good test infra, but it is not included in the hvac module. So, I think that means I need a git checkout of hvac to reuse any testing scripts/modules/classes.

Jeffrey Hogan

@jeffwecan

@cognifloyd we actually have a very old issue covering the same sort of thought: hvac/hvac#99

I'm hoping to find some time for hvac development work in earnest again soon so I'll take a look at it again if I'm able :)

cognifloyd (Jacob Floyd)

@cognifloyd:matrix.org

[m]

Sounds good. For now here's my hack to "include" the relevant parts of the hvac test infra in my own tests: https://github.com/StackStorm-Exchange/stackstorm-vault/pull/19/files#diff-bb41de0f7374b35eb53e4a61947b5aedc01637405fa4a748c1a9aac1180ba250

Scott Hall

@schall8

I'm trying to create an approle using hvac the follwing vault client command works:
vault write -ns=private_cloud/blue auth/approle/role/111111_itg_appwriter token_policies="0111111_itg_appwriter"

I couldn't find a special call in the hvac for approles so i tried just doing a client.write as follwing:
path = f"auth/approle/role/{pol_appreader}_auth"
values = f"token_policies=\"{pol_appreader}\" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h"
result = client.write( path, values,)

But I get an error for invalid duration, has anyone used hvac to write approles? Any help would be great.
hvac.exceptions.InvalidRequest: error parsing X-Vault-Wrap-TTL header: time: invalid duration token_policies="211395_dev_appreader" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h, on post https://<server>/v1/auth/approle/role/211395_dev_appreader_auth

Chri100pher

@Chri100pher

Hi, I think i have found a small issue in hvac aws secrets_engines"
'/v1/{mount_point}/roles/{name}',
https://github.com/hvac/hvac/blob/3caf8eb2408b0ff7ea7828dd0804916abb2fcb23/hvac/api/secrets_engines/aws.py#L242
Shouldn’t the path point to "role" instead of "roles" when we are using read_role ?

Pavan Patharde

@ppathard

Hi All hvac is working well with vault in 1.18 k8s where as does not work with 1.15... Any thing to keep in mind?

Pavan Patharde

@ppathard

v1/sys/in it

Ash

@abelmokadem

Hi all, we have a library that is an extension of hvac and I'm wondering if there is room to move some, maybe all of the code into hvac? It is considered "higher level" functionality over the api. Anyone here to discuss this? Link to code: https://github.com/schubergphilis/hashivaultlib/blob/master/hashivaultlib/hashivaultlib.py

thehilll

@thehilll

Sorry if I'm missing something obvious, but I'm trying to address this deprecation when creating an orphan token:

DeprecationWarning: Call to deprecated function 'create_token'. This method will be removed in version '1.0.0' Please use the 'create' method on the 'hvac.api.auth_methods.token' class moving forward.

where the old create_token call specifies orphan=True. Looking at auth.token.create there is a no_parent argument and a note in the comments:

Certain options are only available when called by a root token. If used via the /auth/token/create-orphan endpoint, a root token is not required to create an orphan token (otherwise set with the no_parent option).

I am not using a root token here, but I don't see how to specify the create-orphan endpoint. With the old function it would branch to using that endpoint if orphan was True, but I don't see any way to do that with the new one.

Mohit Kumar Sharma

@mksha

Hi Guys

i am not able to login using kubernwtes method

can someone help me ?

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='vault.vaultexxxx.com', port=443): Max retries exceeded with url: /v1/auth/kubernetes/login (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4d1dc1b0d0>: Failed to establish a new connection: [Errno 111] Connection refused’

Tobias Macey

@blarghmatey

I'm working on scripting the initialization of a Vault cluster configured to use the auto-unseal mechanism with AWS KMS. I am able to initialize the cluster, but when I then try to enable a userpass auth backend it throws an error about the cluster being sealed. I tried adding a while client.sys.is_sealed() loop but that doesn't seem to have any effect. How have folks managed that flow? I'm trying to do this in the context of bootstrapping the cluster to hand off to Pulumi/Terraform

Casey Reed

@CPCJ79

havent seen recent movement in this room, using hvac==0.11.2 and when I attempt to run my hvac.client.auth.aws.configure to point to the correct regional sts endpoint, I always get a 'missing client token' error. I am attempting to authenticate via credentials fetched from the boto3.session() and consistently get this single error. I am authenticating to aws via a namespace specified in my hvac.client. anyone else down this rabbit hole?

Mike H

@mhexp

Hi, is there interest in a PR for Vault password policies (create/read/delete) and password generation? Seems to be missing at present.

Jerry Wiltse

@solvingj

Hi I'm using client for first time to do simple key read from an enterprise server and getting 404. It looks like it's using the following URL from the logs: https://server/v1/secret/data/mypath. But, looking at our working CURL, the https://server/v1/<my_namespace>/data/mypath. I initialized the client with client = hvac.Client(namespace=my_namespace, ...) and it seems to have no effect. Any ideas?

It's also troubling that I'm calling client.secrets.kv.v2.read_secret_version and the URL in the error clearly shows /v1

Jerry Wiltse

@solvingj

ok, so it's a mount_point

praneeth papishetty

@ppapishe

Hello all. hope everyone is doing good.
Anyone know a good way to mock the vault client for a unit test using pytests?
I tried https://stackoverflow.com/questions/54326123/how-to-mock-vault-hvac-client-method but I am getting below error
AttributeError: 'NoneType' object has no attribute 'read'

my code is not recognize the read method

Rhituraj Sen

@RSE132

I am looking for a help list all secrets name using python... any help would be appreciated

Where communities thrive

People

Repo info

Activity