Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 21 14:56

    jeffwecan on develop

    fix for STS request Merge pull request #718 from pj… (compare)

  • Jun 21 14:56
    jeffwecan closed #718
  • Jun 21 14:56

    jeffwecan on develop

    create_or_update_user should al… Merge pull request #714 from el… (compare)

  • Jun 21 14:56
    jeffwecan closed #714
  • Jun 21 14:55

    jeffwecan on develop

    Update ldap.py configure() con… Merge pull request #707 from tp… (compare)

  • Jun 21 14:55
    jeffwecan closed #707
  • Jun 21 14:55
    codecov[bot] commented #718
  • Jun 21 14:55
    codecov[bot] commented #718
  • Jun 21 14:55
    codecov[bot] commented #718
  • Jun 21 14:55
    jeffwecan milestoned #707
  • Jun 21 14:55
    jeffwecan labeled #707
  • Jun 21 14:55
    jeffwecan labeled #707
  • Jun 21 14:54
    jeffwecan edited #707
  • Jun 21 14:54
    jeffwecan milestoned #714
  • Jun 21 14:54
    jeffwecan labeled #714
  • Jun 21 14:54
    jeffwecan labeled #714
  • Jun 21 14:53
    jeffwecan edited #714
  • Jun 21 14:53
    jeffwecan milestoned #718
  • Jun 21 14:53
    jeffwecan labeled #718
  • Jun 21 14:53
    jeffwecan labeled #718
Balder Lindblom
@cellisten
@FrankSD please provide more context. What is the actual command you are running?
RAMMURTY S
@Rammurthy5

Hey guys, need help on this, please!
I m facing the below error when I try to connect and read a value from Vault. Please help.

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool Max retries exceeded with url: /xyz Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)
Code

import hvac
client = hvac.Client(url=addr, verify=True, cert=(truststore file, keystore file))
client.read(path)

environment: Redhat 7 Linux
Python 3.6
hvac 0.10.5

FrankSD
@FrankSD
@cellisten i am using the code below:
``` credentials= boto3.Session().get_credentials()
credentials =boto3.Session().get_credentials()
client=hvac.Client(url=os.environ[VAULT_ADDR],namaspace=os.environ[VAULT_NAMESPACE],verify=False)
FrankSD
@FrankSD
client.auth.aws.iam_login(credentials .access_key, credentials .secrect_key,session_token=credentials.token,role="ROLE_NAME")
I am getting InvalidRequest: Token is missing on post......
Can anyone please help?thanks
Balder Lindblom
@cellisten
Do you get any output when printing your credentials?
FrankSD
@FrankSD
@cellisten yes i do
Balder Lindblom
@cellisten
When checking out the documentation, role doesn't seem to be used with the boto3 session:
https://hvac.readthedocs.io/en/stable/usage/auth_methods/aws.html#boto3-session
could you also try either using specifying all input variables(access_key =, secret_key = and session_token =) or none (as per the documentation)
Gal Krispel
@GalKrispel-code

Hi, I'm trying to call the hvac client from AWS Lambda on a non-default region ('eu-west-1' ).
The following code will generate this error: Credential should be scoped to a valid region, not 'eu-west-1' 

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

That error makes sense, since my function isn't on aws default region. According documentation here : https://hvac.readthedocs.io/en/latest/usage/auth_methods/aws.html#caveats-for-non-default-aws-regions
using the client.auth.aws.configure prior to the client.auth_aws_iam should do the trick, so I tried the following:

import hvac
import os

def get_credentials():
    response = {
                    'access_key': os.getenv("AWS_ACCESS_KEY_ID"),
                    'secret_key': os.getenv("AWS_SECRET_ACCESS_KEY"),
                    'session_token': os.getenv("AWS_SESSION_TOKEN")
                     }
    return response

client = hvac.Client(url=os.environ.get('VAULT_ADDR'))
credentials = get_credentials()
client.auth.aws.configure(access_key=credentials['access_key'],  secret_key=credentials['secret_key'], endpoint=f'https://sts.{os.environ.get('REGION_NAME')}.amazonaws.com')
client.auth_aws_iam(access_key=credentials['access_key'], secret_key=credentials['secret_key'],
                                            session_token=credentials['session_token'], header_value=os.environ.get('VAULT_HEADER'),
                                            role=os.environ.get('LAMBDA_ROLE_NAME'), use_token=True, region=os.environ.get('REGION_NAME')
                                            )

which apparently fails when trying to configure because of the following error missing client token , I went through the actual function and wasn't sure where the client token should go, as this function does not require a token.

Not really sure what to do here, any ideas?

powellquiring
@powellquiring
i'm a newbie, using 0.10.5, Client.is_initialized() is deprecated? suggests using api.SystemBackend? Which takes an adapter as a param? What is an adapter? TIA
Jayaprakash Reddy
@JUSTPERFECT

@GalKrispel-code

missing client token error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126

Note client.auth.aws.configure method makes API call to vault endpoint v1/auth/aws/config. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.

But login request client.auth_aws_iam don't require X-Vault-Token header.

For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.

payload.json
{
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"
}

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/aws/config/client

Then use Lambda function to call client.auth_aws_iam without any token as input.

Hope It helps

Gal Krispel
@GalKrispel-code
@JUSTPERFECT thanks! I actually realized that right after I posted this question, got this one working , thanks again!
Greg Maxwell
@gmaxwell94
Need help on how to do the following in hvac.
vault write auth/ldap/groups/tools policies=aws
is this just writing a secret?
Also is there some way to change the default policy for ldap at configurations?
Balder Lindblom
@cellisten
What do you mean by default policy at configuration?
Vox1984
@Vox1984
Hi, I am new to hvac. I am trying just to connect to vault
def main(): client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path)) client.is_authenticated()
I get exception for code snippet above:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))
Any idea whats wrong? bad cert? Should i enable something on vault server side?
I can login with vault login with token above no problem
Vox1984
@Vox1984
Using no certificate and just url and VAULT_TOKEN results in:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
FrankSD
@FrankSD
@Vox1984 did you check certificates configuration on the server?
i really do not think this has anything to do with hvac
Vox1984
@Vox1984
thats strange, I use the same certs for tls as server.
I can connect to port no problem with telnet
but I have still
Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))
Dustin Heywood
@evilmog
Hey folks, quick question, how hard would it be to extend hvac to support SSH-CA https://www.vaultproject.io/api/secret/ssh and https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates
right now I'm doing super dirty automation with python and making the json directly but it might be handy, or it might be supported and I'm just missing it
joshuak2018
@joshuak2018
Hello
I am having an issue where I try to authenticate with kubernetes with setting useToken to false and it is still trying to use the token to authenticate
Jacob Floyd
@cognifloyd
I need to write unit tests for a stackstorm-vault a simple wrapper around hvac. My pull request for that project just migrates from deprecated hvac APIs to the latest APIs: StackStorm-Exchange/stackstorm-vault#17
Does hvac have anything that could simplify writing these tests? A mock vault or something?
cognifloyd (Jacob Floyd)
@cognifloyd:matrix.org
[m]
testing the matrix bridge
It looks like there is some good test infra, but it is not included in the hvac module. So, I think that means I need a git checkout of hvac to reuse any testing scripts/modules/classes.
Jeffrey Hogan
@jeffwecan
@cognifloyd we actually have a very old issue covering the same sort of thought: hvac/hvac#99
I'm hoping to find some time for hvac development work in earnest again soon so I'll take a look at it again if I'm able :)
cognifloyd (Jacob Floyd)
@cognifloyd:matrix.org
[m]
Sounds good. For now here's my hack to "include" the relevant parts of the hvac test infra in my own tests: https://github.com/StackStorm-Exchange/stackstorm-vault/pull/19/files#diff-bb41de0f7374b35eb53e4a61947b5aedc01637405fa4a748c1a9aac1180ba250
Scott Hall
@schall8

I'm trying to create an approle using hvac the follwing vault client command works:
vault write -ns=private_cloud/blue auth/approle/role/111111_itg_appwriter token_policies="0111111_itg_appwriter"

I couldn't find a special call in the hvac for approles so i tried just doing a client.write as follwing:
path = f"auth/approle/role/{pol_appreader}_auth"
values = f"token_policies=\"{pol_appreader}\" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h"
result = client.write( path, values,)

But I get an error for invalid duration, has anyone used hvac to write approles? Any help would be great.
hvac.exceptions.InvalidRequest: error parsing X-Vault-Wrap-TTL header: time: invalid duration token_policies="211395_dev_appreader" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h, on post https://<server>/v1/auth/approle/role/211395_dev_appreader_auth

Chri100pher
@Chri100pher
Hi, I think i have found a small issue in hvac aws secrets_engines"
'/v1/{mount_point}/roles/{name}',
https://github.com/hvac/hvac/blob/3caf8eb2408b0ff7ea7828dd0804916abb2fcb23/hvac/api/secrets_engines/aws.py#L242
Shouldn’t the path point to "role" instead of "roles" when we are using read_role ?
Pavan Patharde
@ppathard
Hi All hvac is working well with vault in 1.18 k8s where as does not work with 1.15... Any thing to keep in mind?
Pavan Patharde
@ppathard
v1/sys/in it
Ash
@abelmokadem
Hi all, we have a library that is an extension of hvac and I'm wondering if there is room to move some, maybe all of the code into hvac? It is considered "higher level" functionality over the api. Anyone here to discuss this? Link to code: https://github.com/schubergphilis/hashivaultlib/blob/master/hashivaultlib/hashivaultlib.py