使用Java应用程序通过服务令牌从HashiCorp Vault获取秘密。

huangapple go评论81阅读模式
英文:

Get secret from hashicorp vault using java application with service token

问题

以下是您要翻译的内容:

也许有人可以帮助我理解我错过了什么。

我使用这样的示例来设置 cloud-config 服务,与另一个使用 Vault 获取一些机密信息的 Spring 应用程序配合使用。

如果我使用 root 令牌,一切正常运行。

但是一旦我创建了带有策略的 service 令牌

path "secret/data/test*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/test*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

我可以用以下方式验证它

$ vault token capabilities secret/test
create, delete, list, read, update

以及用 curl

$ curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
http://<dns-name>:8200/v1/secret/data/test | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   302  100   302    0     0   2796      0 --:--:-- --:--:-- --:--:--  2796
{
  "request_id": "44b5fdcf-a13c-8e12-83f3-a5064f25257d",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "data": {
      "test-key": "test-value"
    },
    "metadata": {
      "created_time": "2020-04-09T21:11:28.899688798Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

但是一旦我开始将此令牌与应用程序一起使用,它返回

2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 >> “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 >> “X-Vault-Token: <TOKEN>[\r][\n]”
Response 403 FORBIDDEN
英文:

Maybe some could help me understand where I missed something.

I use such example to set-up cloud-config service, with another spring application which is used vault to get some secrets.

If I using root token everything is working correctly.

But once I create service token with policy

path &quot;secret/data/test*&quot; {
  capabilities = [&quot;create&quot;, &quot;read&quot;, &quot;update&quot;, &quot;delete&quot;, &quot;list&quot;]
}

path &quot;secret/test*&quot; {
  capabilities = [&quot;create&quot;, &quot;read&quot;, &quot;update&quot;, &quot;delete&quot;, &quot;list&quot;]
}

I can validate it with

$ vault token capabilities secret/test
create, delete, list, read, update

and with curl

$ curl \
--header &quot;X-Vault-Token: $VAULT_TOKEN&quot; \
http://&lt;dns-name&gt;:8200/v1/secret/data/test | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   302  100   302    0     0   2796      0 --:--:-- --:--:-- --:--:--  2796
{
  &quot;request_id&quot;: &quot;44b5fdcf-a13c-8e12-83f3-a5064f25257d&quot;,
  &quot;lease_id&quot;: &quot;&quot;,
  &quot;renewable&quot;: false,
  &quot;lease_duration&quot;: 0,
  &quot;data&quot;: {
    &quot;data&quot;: {
      &quot;test-key&quot;: &quot;test-value&quot;
    },
    &quot;metadata&quot;: {
      &quot;created_time&quot;: &quot;2020-04-09T21:11:28.899688798Z&quot;,
      &quot;deletion_time&quot;: &quot;&quot;,
      &quot;destroyed&quot;: false,
      &quot;version&quot;: 1
    }
  },
  &quot;wrap_info&quot;: null,
  &quot;warnings&quot;: null,
  &quot;auth&quot;: null
}

but once I start using this token with the application it returns

2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 &gt;&gt; “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 &gt;&gt; “X-Vault-Token: &lt;TOKEN&gt;[\r][\n]”
Response 403 FORBIDDEN

答案1

得分: 1

确实听起来应用程序没有正确附加凭据。尝试访问类似 httpbin 的网站。
/anything 将返回它收到的请求。这是一种调试这些服务的简便方法。

如果你担心这些凭据,你还可以在本地托管该网站。

英文:

It really sounds like the app is not attaching the credentials correctly. Try hitting a site like httpbin.
The /anything will return the request that it received. Its an easy way to debug those services.

You can also host that site locally if you are worried about those credentials.

huangapple
  • 本文由 发表于 2020年4月10日 21:16:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/61141091.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定