Giters

rajanadar / VaultSharp

A comprehensive cross-platform .NET Library for HashiCorp's Vault, a secret management tool

Home Page:http://rajanadar.github.io/VaultSharp

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unable to update an approle after creation

molteber opened this issue · comments

commented

Describe the bug
Unable to update an approle after creation on auth/approle/role/:role-name endpoint

VaultSharp Version
1.13.0.1

Vault Version
1.15.0

Does this work with Vault CLI?
Yes

Sample Code Snippet

// Works when it does not exists
vaultClient.V1.Auth.AppRole.WriteRoleAsync("my-role", new AppRoleRoleModel
        {
            TokenPolicies = new List<string> {policy},
            BindSecretId = false,
            TokenTimeToLive = 30,
            TokenMaximumTimeToLive = 30,
            TokenBoundCIDRs = new List<string> { "127.0.0.1/32" },
        }).Wait();

// Does not work after it's created
vaultClient.V1.Auth.AppRole.WriteRoleAsync("my-role", new AppRoleRoleModel
        {
            TokenPolicies = new List<string> {policy},
            BindSecretId = false,
            TokenTimeToLive = 30,
            TokenMaximumTimeToLive = 30,
            TokenBoundCIDRs = new List<string> { "127.0.0.1/32" },
        }).Wait();

Exception Details/Stack Trace/Error Message

Unhandled exception. System.AggregateException: One or more errors occurred. ({"errors":["local_secret_ids can only be modified during role creation"]}
)
 ---> VaultSharp.Core.VaultApiException: {"errors":["local_secret_ids can only be modified during role creation"]}

   at VaultSharp.Core.Polymath.MakeRequestAsync[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, IDictionary`2 headers, Boolean rawResponse, Action`1 postResponseAction)
   at VaultSharp.Core.Polymath.MakeVaultApiRequest[TResponse](String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Action`1 postResponseAction, String wrapTimeToLive, Boolean unauthenticated)
   at VaultSharp.Core.Polymath.MakeVaultApiRequest(String resourcePath, HttpMethod httpMethod, Object requestData, Boolean rawResponse, Boolean unauthenticated)
   at VaultSharp.V1.AuthMethods.AppRole.AppRoleAuthMethodProvider.WriteRoleAsync(String roleName, AppRoleRoleModel appRoleRoleModel, String mountPoint)
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at System.Threading.Tasks.Task.Wait()
   at Project.AppRoleManagerHandler.ConfigureAppRoleWithPolicy(IVaultClient vaultClient, String policy, String appRoleName, List`1 ipFilter, String appRoleIdDirectoryPath, String envVariableName, Action`1 options) in C:\Project\AppRoleManagerHandler.cs:line 36
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)
   at System.Threading.QueueUserWorkItemCallbackDefaultContext.Execute()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
   at System.Threading.Thread.StartCallback()

Any additional info
As far as I can see, the AppRole API does not expect a local_secret_ids property when updating a role. https://developer.hashicorp.com/vault/api-docs/v1.14.x/auth/approle#create-update-approle.

A possible solution could be to have a UpdateAppRoleModel and CreateAppRoleModel where the CreateAppRoleModel could inherit UpdateAppRoleModel and define the property local_secret_ids.

I know that there are API endpoints to update certain parts of the role but I want to give it my full role definition when to modify everything in one request instead of doing many small ones.