C# code working on 1.3.4 Vault no longer working on 1.12.3 Vault
MB34 opened this issue · comments
We're using Vault 1.12.3 in an AWS environment. In the CLI, I can login via an approle with the role-id and secret-id and do a kv get perfectly. However, our C# code, which was working with a 1.3.4 Vault version now no longer works and gives us a "permission denied" error. We did change namespaces and it is reflected in the VaultClientSettings when we create it.
But upon attempting to try either a V1.Auth.Token.LookupSelfAsync()
or V1.Auth.PerformImmediateLogin()
I get the error.
The stack trace below is for the V1.Auth.PerformImmediateLogin():
at VaultSharp.Core.Polymath.<MakeRequestAsync>d__23`1.MoveNext()
at VaultSharp.Core.Polymath.<MakeVaultApiRequest>d__21`1.MoveNext()
at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodLoginProvider.<LoginAsync>d__3.MoveNext()
at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodLoginProvider.<GetVaultTokenAsync>d__4.MoveNext()
at VaultSharp.Core.Polymath.<PerformImmediateLogin>d__17.MoveNext()
at VaultSharp.V1.AuthMethods.AuthMethodProvider.<PerformImmediateLogin>d__54.MoveNext()
at EGSM.VaultApi.Vault.VaultWrapper.<GetValuesAsync>d__5.MoveNext() in C:\Code\EGSM.VaultApi\Vault\VaultWrapper.cs:line 155
We're suspecting that it may have to do with the namespace, any thoughts?
Here the code for AppRoleAuthClientAsync() that calls the V1.Auth.Token.LookupSelfAsync() and fails:
private async Task<IVaultClient?> AppRoleAuthClientAsync(string api)
{
IVaultClient? vaultClient = null;
if (_settings is not null)
{
var _address = _settings.Address;
string? role_id = _settings.TAppRoleRoleId;
string? secrets_id = _settings.TAppRoleSecretId;
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(role_id, secrets_id);
var vaultClientSettings = GetVaultClientSettings(_settings, authMethod);
vaultClient = new VaultClient(vaultClientSettings);
var _token = "";
try
{
Secret<CallingTokenInfo> tokenData = await vaultClient.V1.Auth.Token.LookupSelfAsync().ConfigureAwait(false);
_token = tokenData.Data.Id;
}
catch (Exception e)
{
Log.Error($"@ {0}", e.Message);
}
Environment.SetEnvironmentVariable("VAULT_TOKEN", _token);
}
return vaultClient;
}
Here the code for GetValuesAsync() that calls the V1.Auth.PerformImmediateLogin() and fails:
Note: The environment and api parameters create the path and mountpoint to the secrets we're trying to obtain.
public async Task<Secret<SecretData>?> GetValuesAsync(string? environment, string api, int? secretVersion)
{
Secret<SecretData>? kv2Secret = null;
IVaultClient? _client = await AppRoleAuthClientAsync(api).ConfigureAwait(false);
if(_client is not null)
{
try
{
await _client.V1.Auth.PerformImmediateLogin().ConfigureAwait(false);
}
catch (VaultApiException e)
{
Log.Error(e.Message);
throw;
}
finally
{
try
{
kv2Secret = await _client.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: api.ToLower(), version: secretVersion, mountPoint: environment).ConfigureAwait(false);
}
catch (VaultApiException e)
{
Log.Error(e.Message);
}
}
}
return kv2Secret;
}
Geez, somehow copied spaces in my namespace, fixed that and now it's working.