jeffwecan on develop
Drop funding bit add "help wanted" callout to re… (compare)
@GalKrispel-code
missing client token
error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126
Note client.auth.aws.configure
method makes API call to vault endpoint v1/auth/aws/config
. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.
But login request client.auth_aws_iam
don't require X-Vault-Token
header.
For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.
payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client
Then use Lambda function to call client.auth_aws_iam
without any token as input.
Hope It helps
def main():
client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path))
client.is_authenticated()
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))
vault login
with token above no problem
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))
stackstorm-vault
a simple wrapper around hvac
. My pull request for that project just migrates from deprecated hvac APIs to the latest APIs: StackStorm-Exchange/stackstorm-vault#17I'm trying to create an approle using hvac the follwing vault client command works:
vault write -ns=private_cloud/blue auth/approle/role/111111_itg_appwriter token_policies="0111111_itg_appwriter"
I couldn't find a special call in the hvac for approles so i tried just doing a client.write as follwing:
path = f"auth/approle/role/{pol_appreader}_auth"
values = f"token_policies=\"{pol_appreader}\" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h"
result = client.write( path, values,)
But I get an error for invalid duration, has anyone used hvac to write approles? Any help would be great.
hvac.exceptions.InvalidRequest: error parsing X-Vault-Wrap-TTL header: time: invalid duration token_policies="211395_dev_appreader" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h, on post https://<server>/v1/auth/approle/role/211395_dev_appreader_auth
'/v1/{mount_point}/roles/{name}',
Sorry if I'm missing something obvious, but I'm trying to address this deprecation when creating an orphan token:
DeprecationWarning: Call to deprecated function 'create_token'. This method will be removed in version '1.0.0' Please use the 'create' method on the 'hvac.api.auth_methods.token' class moving forward.
where the old create_token
call specifies orphan=True
. Looking at auth.token.create
there is a no_parent
argument and a note in the comments:
Certain options are only available when called by a root token. If used via the /auth/token/create-orphan endpoint, a root token is not required to create an orphan token (otherwise set with the no_parent option).
I am not using a root token here, but I don't see how to specify the create-orphan
endpoint. With the old function it would branch to using that endpoint if orphan
was True
, but I don't see any way to do that with the new one.
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='vault.vaultexxxx.com', port=443): Max retries exceeded with url: /v1/auth/kubernetes/login (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4d1dc1b0d0>: Failed to establish a new connection: [Errno 111] Connection refused’
while client.sys.is_sealed()
loop but that doesn't seem to have any effect. How have folks managed that flow? I'm trying to do this in the context of bootstrapping the cluster to hand off to Pulumi/Terraform
https://server/v1/secret/data/mypath
. But, looking at our working CURL, the https://server/v1/<my_namespace>/data/mypath
. I initialized the client with client = hvac.Client(namespace=my_namespace, ...)
and it seems to have no effect. Any ideas?
client.secrets.kv.v2.read_secret_version
and the URL in the error clearly shows /v1
Hello all. hope everyone is doing good.
Anyone know a good way to mock the vault client for a unit test using pytests?
I tried https://stackoverflow.com/questions/54326123/how-to-mock-vault-hvac-client-method but I am getting below errorAttributeError: 'NoneType' object has no attribute 'read'
my code is not recognize the read method