Giters

rajanadar / VaultSharp

A comprehensive cross-platform .NET Library for HashiCorp's Vault, a secret management tool

Home Page:http://rajanadar.github.io/VaultSharp

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

C# code working on 1.3.4 Vault no longer working on 1.12.3 Vault

MB34 opened this issue · comments

commented

We're using Vault 1.12.3 in an AWS environment. In the CLI, I can login via an approle with the role-id and secret-id and do a kv get perfectly. However, our C# code, which was working with a 1.3.4 Vault version now no longer works and gives us a "permission denied" error. We did change namespaces and it is reflected in the VaultClientSettings when we create it.
HashiVaultError

But upon attempting to try either a V1.Auth.Token.LookupSelfAsync() or V1.Auth.PerformImmediateLogin() I get the error.

The stack trace below is for the V1.Auth.PerformImmediateLogin():

 at VaultSharp.Core.Polymath.<MakeRequestAsync>d__23`1.MoveNext()
  at VaultSharp.Core.Polymath.<MakeVaultApiRequest>d__21`1.MoveNext()
  at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodLoginProvider.<LoginAsync>d__3.MoveNext()
  at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodLoginProvider.<GetVaultTokenAsync>d__4.MoveNext()
  at VaultSharp.Core.Polymath.<PerformImmediateLogin>d__17.MoveNext()
  at VaultSharp.V1.AuthMethods.AuthMethodProvider.<PerformImmediateLogin>d__54.MoveNext()
  at EGSM.VaultApi.Vault.VaultWrapper.<GetValuesAsync>d__5.MoveNext() in C:\Code\EGSM.VaultApi\Vault\VaultWrapper.cs:line 155

We're suspecting that it may have to do with the namespace, any thoughts?

Here the code for AppRoleAuthClientAsync() that calls the V1.Auth.Token.LookupSelfAsync() and fails:

    private async Task<IVaultClient?> AppRoleAuthClientAsync(string api)
    {
        IVaultClient? vaultClient = null;
        if (_settings is not null)
        {
            var _address = _settings.Address;
            string? role_id = _settings.TAppRoleRoleId;
            string? secrets_id = _settings.TAppRoleSecretId;

            IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(role_id, secrets_id);
            var vaultClientSettings = GetVaultClientSettings(_settings, authMethod);
            vaultClient = new VaultClient(vaultClientSettings);
            var _token = "";
            try
            {
                Secret<CallingTokenInfo> tokenData = await vaultClient.V1.Auth.Token.LookupSelfAsync().ConfigureAwait(false);
                _token = tokenData.Data.Id;
            }
            catch (Exception e)
            {
                Log.Error($"@ {0}", e.Message);
            }
            Environment.SetEnvironmentVariable("VAULT_TOKEN", _token);
        }
        return vaultClient;
    }

Here the code for GetValuesAsync() that calls the V1.Auth.PerformImmediateLogin() and fails:
Note: The environment and api parameters create the path and mountpoint to the secrets we're trying to obtain.

    public async Task<Secret<SecretData>?> GetValuesAsync(string? environment, string api, int? secretVersion)
    {
        Secret<SecretData>? kv2Secret = null;
        IVaultClient? _client = await AppRoleAuthClientAsync(api).ConfigureAwait(false);
        if(_client is not null)
        {
            try
            {
                await _client.V1.Auth.PerformImmediateLogin().ConfigureAwait(false);
            }
            catch (VaultApiException e)
            {
                Log.Error(e.Message);
                throw;
            }
            finally
            {
                try
                {
                    kv2Secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: api.ToLower(), version: secretVersion, mountPoint: environment).ConfigureAwait(false);
                }
                catch (VaultApiException e)
                {
                    Log.Error(e.Message);
                }                    
            }
        }
        return kv2Secret;
    }
commented

Geez, somehow copied spaces in my namespace, fixed that and now it's working.