hvac/community

Balder Lindblom

@cellisten

@Rammurthy5 depends on what token you want to renew, the calling token (self) or another token (without self)

RAMMURTY S

@Rammurthy5

@cellisten thanks. .

@cellisten May I ask you about how do you secure vault tokens in your project? Our Vault Auth Tokens are set to expire every 8hours, so we have to fetch new token programmatically.

So for the next time when the token expired, do we need to enter our access credentials and fetch new token?

Balder Lindblom

@cellisten

@Rammurthy5 I prefer tokens with shorter expiry and then I copy a token from the GUI when needed. For automated tasks I use app roles rather than tokens for access

RAMMURTY S

@Rammurthy5

@cellisten Can you elaborate a bit more on "For automated tasks I use app roles rather than tokens for access"

Balder Lindblom

@cellisten

Do you know what app roles are?

RAMMURTY S

@Rammurthy5

Sorry, no

Balder Lindblom

@cellisten

There are several authentication methods in the Vault. Ldap, Kubernetes service accounts, app roles and tokens to name a few. Use the one most suited for the task at hand

RAMMURTY S

@Rammurthy5

@cellisten thanks. .

Balder Lindblom

@cellisten

https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle/ for some more information

FrankSD

@FrankSD

can anyone please help?i am using vault with AWS........but everytime i try to log in .i keep getting missing TOKEN buti could see the TOKEN when i print on console

Balder Lindblom

@cellisten

@FrankSD please provide more context. What is the actual command you are running?

RAMMURTY S

@Rammurthy5

Hey guys, need help on this, please!
I m facing the below error when I try to connect and read a value from Vault. Please help.

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool Max retries exceeded with url: /xyz Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)
Code

import hvac
client = hvac.Client(url=addr, verify=True, cert=(truststore file, keystore file))
client.read(path)

environment: Redhat 7 Linux
Python 3.6
hvac 0.10.5

FrankSD

@FrankSD

@cellisten i am using the code below:

``` credentials= boto3.Session().get_credentials()

credentials =boto3.Session().get_credentials()

client=hvac.Client(url=os.environ[VAULT_ADDR],namaspace=os.environ[VAULT_NAMESPACE],verify=False)

FrankSD

@FrankSD

client.auth.aws.iam_login(credentials .access_key, credentials .secrect_key,session_token=credentials.token,role="ROLE_NAME")

I am getting InvalidRequest: Token is missing on post......

Can anyone please help?thanks

Balder Lindblom

@cellisten

Do you get any output when printing your credentials?

FrankSD

@FrankSD

@cellisten yes i do

Balder Lindblom

@cellisten

When checking out the documentation, role doesn't seem to be used with the boto3 session:
https://hvac.readthedocs.io/en/stable/usage/auth_methods/aws.html#boto3-session
could you also try either using specifying all input variables(access_key =, secret_key = and session_token =) or none (as per the documentation)

Gal Krispel

@GalKrispel-code

Hi, I'm trying to call the hvac client from AWS Lambda on a non-default region ('eu-west-1' ).
The following code will generate this error: Credential should be scoped to a valid region, not 'eu-west-1'

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

That error makes sense, since my function isn't on aws default region. According documentation here : https://hvac.readthedocs.io/en/latest/usage/auth_methods/aws.html#caveats-for-non-default-aws-regions
using the client.auth.aws.configure prior to the client.auth_aws_iam should do the trick, so I tried the following:

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth.aws.configure(access_key=credentials['access_key'],  secret_key=credentials['secret_key'], endpoint=f'https://sts.{os.environ.get('REGION_NAME')}.amazonaws.com')
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

which apparently fails when trying to configure because of the following error missing client token , I went through the actual function and wasn't sure where the client token should go, as this function does not require a token.

Not really sure what to do here, any ideas?

powellquiring

@powellquiring

i'm a newbie, using 0.10.5, Client.is_initialized() is deprecated? suggests using api.SystemBackend? Which takes an adapter as a param? What is an adapter? TIA

Jayaprakash Reddy

@JUSTPERFECT

@GalKrispel-code

missing client token error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126

Note client.auth.aws.configure method makes API call to vault endpoint v1/auth/aws/config. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.

But login request client.auth_aws_iam don't require X-Vault-Token header.

For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.

payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client

Then use Lambda function to call client.auth_aws_iam without any token as input.

Hope It helps

Gal Krispel

@GalKrispel-code

@JUSTPERFECT thanks! I actually realized that right after I posted this question, got this one working , thanks again!

Greg Maxwell

@gmaxwell94

Need help on how to do the following in hvac.

vault write auth/ldap/groups/tools policies=aws

is this just writing a secret?

Also is there some way to change the default policy for ldap at configurations?

Balder Lindblom

@cellisten

What do you mean by default policy at configuration?

Vox1984

@Vox1984

Hi, I am new to hvac. I am trying just to connect to vault

def main():
    client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path))
    client.is_authenticated()

I get exception for code snippet above:

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))

Any idea whats wrong? bad cert? Should i enable something on vault server side?

I can login with vault login with token above no problem

Vox1984

@Vox1984

Using no certificate and just url and VAULT_TOKEN results in:

requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by
SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

FrankSD

@FrankSD

@Vox1984 did you check certificates configuration on the server?

i really do not think this has anything to do with hvac

Vox1984

@Vox1984

thats strange, I use the same certs for tls as server.

I can connect to port no problem with telnet

but I have still

Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))

Dustin Heywood

@evilmog

Hey folks, quick question, how hard would it be to extend hvac to support SSH-CA https://www.vaultproject.io/api/secret/ssh and https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates

right now I'm doing super dirty automation with python and making the json directly but it might be handy, or it might be supported and I'm just missing it

joshuak2018

@joshuak2018

Hello

I am having an issue where I try to authenticate with kubernetes with setting useToken to false and it is still trying to use the token to authenticate

Where communities thrive

People

Repo info

Activity