Unable to update an approle after creation
molteber opened this issue · comments
Describe the bug
Unable to update an approle after creation on auth/approle/role/:role-name
endpoint
VaultSharp Version
1.13.0.1
Vault Version
1.15.0
Does this work with Vault CLI?
Yes
Sample Code Snippet
// Works when it does not exists
vaultClient.V1.Auth.AppRole.WriteRoleAsync("my-role", new AppRoleRoleModel
{
TokenPolicies = new List<string> {policy},
BindSecretId = false,
TokenTimeToLive = 30,
TokenMaximumTimeToLive = 30,
TokenBoundCIDRs = new List<string> { "127.0.0.1/32" },
}).Wait();
// Does not work after it's created
vaultClient.V1.Auth.AppRole.WriteRoleAsync("my-role", new AppRoleRoleModel
{
TokenPolicies = new List<string> {policy},
BindSecretId = false,
TokenTimeToLive = 30,
TokenMaximumTimeToLive = 30,
TokenBoundCIDRs = new List<string> { "127.0.0.1/32" },
}).Wait();
Exception Details/Stack Trace/Error Message
Unhandled exception. System.AggregateException: One or more errors occurred. ({"errors":["local_secret_ids can only be modified during role creation"]}
)
---> VaultSharp.Core.VaultApiException: {"errors":["local_secret_ids can only be modified during role creation"]}
at VaultSharp.Core.Polymath.MakeRequestAsync[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, IDictionary`2 headers, Boolean rawResponse, Action`1 postResponseAction)
at VaultSharp.Core.Polymath.MakeVaultApiRequest[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Action`1 postResponseAction, String wrapTimeToLive, Boolean unauthenticated)
at VaultSharp.Core.Polymath.MakeVaultApiRequest(String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Boolean unauthenticated)
at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodProvider.WriteRoleAsync(String roleName, AppRoleRoleModel appRoleRoleModel, String mountPoint)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.Wait()
at Project.AppRoleManagerHandler.ConfigureAppRoleWithPolicy(IVaultClient vaultClient, String policy, String appRoleName, List`1 ipFilter, String appRoleIdDirectoryPath, String envVariableName, Action`1 options) in C:\Project\AppRoleManagerHandler.cs:line 36
at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)
at System.Threading.QueueUserWorkItemCallbackDefaultContext.Execute()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
at System.Threading.Thread.StartCallback()
Any additional info
As far as I can see, the AppRole API does not expect a local_secret_ids
property when updating a role. https://developer.hashicorp.com/vault/api-docs/v1.14.x/auth/approle#create-update-approle.
A possible solution could be to have a UpdateAppRoleModel
and CreateAppRoleModel
where the CreateAppRoleModel
could inherit UpdateAppRoleModel
and define the property local_secret_ids
.
I know that there are API endpoints to update certain parts of the role but I want to give it my full role definition when to modify everything in one request instead of doing many small ones.