Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

App Role : Vault configuration failed: One or more errors occurred. ({"errors":["1 error occurred:\n\t* permission denied\n\n"]}

See original GitHub issue

Calling Approle method to read key value results me - permission denied error in aspnet core application

System.Exception: Vault configuration failed: One or more errors occurred. ({“errors”:[“1 error occurred:\n\t* permission denied\n\n”]} ) at VaultConnection.VaultExtensions.AddVaultKeys.GetValutKeyValuePairs(IConfiguration buildConfig) in C:\Users\48013\Source\Repos\sample\Vault1\VaultConnection\VaultExtensions\AddVaultKeys.cs:line 67 at VaultConnection.Startup.ConfigureServices(IServiceCollection services) in

**Here is the Snippet of code  :**

IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(buildConfig["vault:roleid"], buildConfig["vault:secretid"]);

var VaultClientSettings = new VaultClientSettings(buildConfig["vault:address"], authMethod);

IVaultClient vaultClient = new VaultClient(VaultClientSettings);

 // Token Apis.
var callingTokenInfo = vaultClient.V1.Auth.Token.LookupSelfAsync().Result;

var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
                        .ReadSecretAsync(buildConfig["vault:path"])
                        .Result.Data;

---> It throws error at this point and failed to execute the above line var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1.........

DisplayJson(callingTokenInfo) - Output of this token is - {“request_id”:“e5e71c03-6972-12ff-9e30-d42c8e2f188a”,“lease_id”:“”,“renewable”:false,“lease_duration”:0,“data”:{“accessor”:“FuLTEKwYmJ2IGZyDwvCmJ1Vm”,“explicit_max_ttl”:0,“renewable”:true,“creation_time”:1591617019,“creation_ttl”:2764800,“orphan”:true,“ttl”:2764799,“type”:“service”,“id”:“s.6GJMAbWxQU82cm1K7ajcSgv5”,“policies”:[“default”,“sqlconnection”],“meta”:{“role_name”:“sqlconnectionrole”},“path”:“auth/approle/login”,“display_name”:“approle”,“num_uses”:0,“entity_id”:“811d33fe-e9e5-ac4e-3fbf-9809c0a85b3d”,“expire_time”:“2020-07-10T17:20:19.2386078+05:30”,“identity_policies”:null,“issue_time”:“2020-06-08T17:20:19.2386078+05:30”},“wrap_info”:null,“warnings”:null,“auth”:null}

In addition to this, steps to create policy and to associate with a role 

1. vault secrets enable -path=devkv kv
2. vault kv put devkv/connection timeout=120 source=DATA
3. vault policy write sqlconnection sqlconnection.hcl
4. Output of the policy created: - vault policy read sqlconnection

path “devkv/*” { capabilities = [“create”, “read”, “update”, “delete”, “list”] }

path “devkv/appId*” { capabilities = [“create”, “read”, “update”, “delete”, “list”] }

5. vault auth enable approle
6.  vault write auth/approle/role/sqlconnectionrole policies=default,sqlconnection
7. vault read auth/approle/role/sqlconnectionrole/role-id
8. vault write -f auth/approle/role/sqlconnectionrole/secret-id

If I test this through a command line, I am able to access the keys
9. vault write auth/approle/login role_id="1a5aa9a5-9d79-5743-de-9dca0433dc77" secret_id="138ec92b-02c8-610d-109b-3f325e29be"

Received a token from this command. Login with this token to check whether or not keys associated with sqlconnection role can be read and I was successfully able to read the value.

PS C:\WINDOWS\system32> vault write auth/approle/login role_id=“1a5aa9a5-9d79-5743-3cde-9dca0433dc77” secret_id=“138ec92b-02c8-610d-109b-3f325e29bef0” Key Value

token s.g5NfR7DJLSD9hp1amXCvp92I token_accessor u5raQKxARuAjluywS1SatFuy token_duration 768h token_renewable true token_policies [“default” “sqlconnection”] identity_policies [] policies [“default” “sqlconnection”] token_meta_role_name sqlconnectionrole PS C:\WINDOWS\system32> vault login s.g5NfR7DJLSD9hp1amXCvp92I WARNING! The VAULT_TOKEN environment variable is set! This takes precedence over the value set by this command. To use the value set by this command, unset the VAULT_TOKEN environment variable or set it to the token displayed below.

Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run “vault login” again. Future Vault requests will automatically use this token.

Key Value

token s.g5NfR7DJLSD9hp1amXCvp92I token_accessor u5raQKxARuAjluywS1SatFuy token_duration 767h59m35s token_renewable true token_policies [“default” “sqlconnection”] identity_policies [] policies [“default” “sqlconnection”] token_meta_role_name sqlconnectionrole

PS C:\WINDOWS\system32> vault kv get devkv/connection ===== Data ===== Key Value source DATA timeout 120

Issue Analytics

State:
Created 3 years ago
Comments:15 (7 by maintainers)

Top GitHub Comments

2reactions

rajanadarcommented, Jun 14, 2020

@itsmetarunnarang i had a look at this and cannot repro this locally. I am able to login and read a secret.

The error you are getting

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

is actually an error coming from the Vault Server. (not vault sharp) What this means is that, VaultSharp was able to login successfully, get a token and it sent a request using that token to read the secret. The Vault server denied this request.

Based on your CLI success, one suspicious line is this

WARNING! The VAULT_TOKEN environment variable is set! This takes precedence over the value set by this command. To use the value set by this command, unset the VAULT_TOKEN environment variable or set it to the token displayed below.

It is possible that the env variable is being used when you use CLI. Can you please unset the env variable, restart your shell, and truly use the token generated by app role login.

The other option is you can also hard-code the two tokens (one you generate from CLI and the other in your env variable) in VaultSharp using the TokenAuthInfo method and see how they behave.

Let me know.

1reaction

rajanadarcommented, Jun 14, 2020

@itsmetarunnarang Found the root cause of your issue. You are mixing “mount path” and “key path”.

Use the following call for a successful retrieval.

var mountPath = "devkv";
// ensure buildConfig["vault:path"] is just 'connection' and not 'devkv/connection'
var vaultSecrets = vaultClient.V1.Secrets.KeyValue.V1
                        .ReadSecretAsync(buildConfig["vault:path"], mountPath)
                        .Result.Data;

The devkv value is the mount path name for the kv secrets engine. A secret engine of type ‘kv’ has a default mount path of value ‘kv’. However, when you enabled the backend, you provided an explicit mount-point name of ‘devkv’. You need to use this as an explicit parameter for any secret retrieval. Otherwise VaultSharp and hence Vault will try to read the “devkv/connection” key name from the default mountpoint of ‘kv’.