Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't get secrets from hashicorp vault

See original GitHub issue

Hello, we are trying to get secrets from hashicorp vault using dynaconf library.

vault version: 1.9.0 dynaconf version: 3.1.7

We use the following python script:

import os
from dynaconf import Dynaconf, Validator, settings


os.environ["VAULT_PATH_FOR_DYNACONF"] = "dynaconf/production"

settings = Dynaconf(
    environments=True,
    vault_enabled=True,
    vault={"url": "http://172.18.207.46:8200", "token": "s.KzoIJlcSWxOwAPshU4vtOvsV"},
)


print(settings.docker_user)

Here is the vault root token.

We have the following secrets in hashicorp vault: screen-1

While executing the script, the following error appears:

/home/abashkin/.local/lib/python3.8/site-packages/hvac/v1/init.py:117: DeprecationWarning: Call to deprecated property ‘kv’. This property will be removed in version ‘0.9.0’ Please use the ‘kv’ property on the ‘Client.secrets’ attribute moving forward. return utils.getattr_with_deprecated_properties( /usr/lib/python3/dist-packages/apport/report.py:13: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module’s documentation for alternative uses import fnmatch, glob, traceback, errno, sys, atexit, locale, imp, stat Traceback (most recent call last): File “python_script_get_secret_vault_with_dynaconf.py”, line 15, in <module> print(settings.docker_user) File “/home/abashkin/.local/lib/python3.8/site-packages/dynaconf/base.py”, line 136, in getattr value = getattr(self._wrapped, name) File “/home/abashkin/.local/lib/python3.8/site-packages/dynaconf/base.py”, line 277, in getattribute return super().getattribute(name) AttributeError: ‘Settings’ object has no attribute ‘DOCKER_USER’

screen-2

Please help me solve the problem, we can’t figure out why after executing the script in settings dynaconf there is no docker_user secret.

We have deployed Vault via docker-compose as follows:

version: "3.7"

networks:
  vault-network:

services:

  vault-server:
    image: vault:1.9.0
    ports:
      - "8200:8200"
    cap_add:
      - IPC_LOCK
    environment:
      VAULT_ADDR: "http://0.0.0.0:8200"
    volumes:
      - /mnt/sdb1/vault/data:/vault/file
      - /mnt/sdb1/vault/logs:/vault/logs
      - /docker_compose/vault/config:/vault/config
    networks:
      vault-network:
    command: server

Vault config:

// Enable UI
ui = true

// Filesystem storage
storage "file" {
  path = "/vault/file"
  default_lease_ttl = "168h"
  max_lease_ttl = "720h"
}

// TCP Listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
}

When checking with hvac or curl, we can get secrets.

Thank you.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6

github_iconTop GitHub Comments

1reaction
abashkinascommented, Dec 14, 2021

Hello, I managed to take a secret from a vault using a non-root token, only after I wrote the following in the vault policy for this token:

path "secret/data/dynaconf/prod/my_secret" {
  capabilities = ["read"]
}

path "secret/dynaconf/*" {
  capabilities = ["list"]
}

path "secret/data/dynaconf/default" {
  capabilities = ["read"]
}

path "secret/data/dynaconf/dynaconf" {
  capabilities = ["read"]
}

path "secret/data/dynaconf/global" {
  capabilities = ["read"]
}
0reactions
abashkinascommented, Dec 14, 2021

my script now looks like this:

import os
from dynaconf import Dynaconf, settings

os.environ["ENV_FOR_DYNACONF"]="prod/my_secret"

settings = Dynaconf(
    environment=True,
    vault_enabled=True,
    vault={"url": "http://172.18.07.46:8200", "token": "s.7lLQgU1fyaZvFta6fur6WH0h"},
)

print(settings.docker_user)
Read more comments on GitHub >

github_iconTop Results From Across the Web

Read Secrets From Vault Using Vault Agent
This tutorial demonstrates the Vault adoption journey for application developers using Vault Agent features.
Read more >
Your First Secret | Vault - HashiCorp Developer
Secrets written to Vault are encrypted and then written to backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and...
Read more >
Problem getting vault secrets in a Nomad job
My Nomad servers have a valid vault token which was created using the steps in the doc link above. The token was put...
Read more >
Static Secrets: Key/Value Secrets Engine | Vault
Vault can be used to store any secret in a secure manner. The secrets may be SSL certificates and keys for your organization's...
Read more >
Can't get vault-agent-init container to get a secret from Vault
I'm having a hard time trying to use Vault secrets inside a Pod. Taking this video as base: Injecting Vault Secrets Into Kubernetes...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Performance concerns

Next page

[RFC] Load multi environment settings from dictionary