Update password to existing userpass account using Http API

[Chris Murphy]

Hi Guys

I am trying to Update a existing userpass account password in vault but getting error : Permission Denied

Here is my Http API Request

curl -H "X-Vault-Token: d22fb618-dd66-d20d-1b22-a2ddbbc2361f"  -X POST http://9.30.30.100:8200/v1/auth/userpass/users/cmurphy/password1

Getting a Permission Denied

I login to vault first then I use the token to make request to Vault 


https://www.vaultproject.io/docs/auth/userpass.html

Any help would be great.

Thanks

[Chris Murphy]

Here is my  policies for this user

path "secret/*" {
        capabilities = ["create","delete","list","update","read"]
}

path "auth/*"{

        capabilities = ["create","delete","update","read"]
}


Thanks

[Jeff Mitchell]

Hi Chris,

You have an extra '1' at the end of your URL. Remove it and it should work just fine!

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e916db36-a15a-431c-aab8-9c5f2167219a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chris Murphy]

Hi Jeff

I removed the '1' at the end of URL still getting Permission Denied

[Jeff Mitchell]

Hi Chris,

What version of Vault is this?

Thanks,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3d359099-5080-4732-8cb3-d6d46f7746ac%40googlegroups.com.

[Chris Murphy]

Hi Jeff,

It is Vault Version 0.6.

[Jeff Mitchell]

Hi Chris,

I can't reproduce this; I've tried against both 0.6.0 and current master:

===============
$ cat test.policy

path "secret/*" {
capabilities = ["create","delete","list","update","read"]
}

path "auth/*"{
capabilities = ["create","delete","update","read"]
}

$ vault policy-write testpolicy test.policy
Policy 'testpolicy' written.

$ vault auth-enable userpass
Successfully enabled 'userpass' at 'userpass'!

$ vault write auth/userpass/users/jeff password=foo
policies=testpolicy
Success! Data written to: auth/userpass/users/jeff

$ vault auth -method=userpass username=jeff password=foo
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: f21ecd0b-e1c6-c1e6-bab3-135696f6ad21
token_duration: 2591999
token_policies: [default, testpolicy]

$ vault token-lookup
Key Value
--- -----
accessor fd6f47a3-b033-775c-60ef-d56ac57040e0
creation_time 1469459228
creation_ttl 2592000
display_name userpass-jeff
explicit_max_ttl 0
id f21ecd0b-e1c6-c1e6-bab3-135696f6ad21
meta map[username:jeff]
num_uses 0
orphan true
path auth/userpass/login/jeff
policies [default testpolicy]
renewable true
role
ttl 2591987

$ vault write auth/userpass/users/jeff/password password=bar
Success! Data written to: auth/userpass/users/jeff/password

$ vault auth -method=userpass username=jeff password=bar
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: 83687881-ee99-186d-7947-9332503c6090
token_duration: 2592000
token_policies: [default, testpolicy]
===============

In your curl command you're not showing any data being passed. Are you
actually sending the JSON data with the new password?

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/87d54be4-2e09-47c6-9162-63f155bca35b%40googlegroups.com.

[Chris Murphy]

Hi Jeff

The above commands are working in Vault Console.

It is using the HTTP API Request to Update the Users account
Following this page : https://www.vaultproject.io/docs/auth/userpass.html

/auth/userpass/users/[username]/password

curl -H "X-Vault-Token: d22fb618-dd66-d20d-1b22-a2ddbbc2361f"  -X POST http://9.30.30.100:8200/v1/auth/userpass/users/cmurphy/password

What data do I need to send with the password ???

The User Exists and is Auth. I just want to update the users password from curl command


Thanks Jeff

[Michael Fischer]

You need to submit a data payload consisting of a JSON object whose key is 'password' and value is the plaintext password.

So:

curl -H "X-Vault-Token: <redacted>" -X POST -d @password.json http://9.30.30.100:8200/v1/auth/userpass/users/cmurphy/password

Where password.json contains:

{ "password" : "changeme" }

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f4261765-a08f-41f7-a860-df28a7448f5a%40googlegroups.com.

[Jeff Mitchell]

You can also specify on the command line:

curl -H "X-Vault-Token: <redacted>" -X POST -d '{"password":
"changeme"}' http://9.30.30.100:8200/v1/auth/userpass/users/cmurphy/password

All input to the Vault API is JSON, so any parameters you see in the
API docs will need to be specified as part of a JSON document.

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/CABHxtY5W3Gv%2BRX34btRsrHG%3DxiFD2VEUMYnaHLR9eH0frun%3DmQ%40mail.gmail.com.

[Michael Fischer]

I generally discourage placing cleartext passwords in interactive shell commands lest they end up in shell history files by mistake. 

Lots of ways to skin this particular cat, though. 

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHX%2BerXs3zxmkcgQhDxoa64BWxF_Bvs4HzNSmLnEjnL%3DA%40mail.gmail.com.

[Jeff Mitchell]

Oops -- I am also very much on that same page. I was merely trying to
show that JSON *can* be sent to Vault endpoints directly on the CLI,
but indeed, it's usually a good idea for that data to not be
sensitive. :-)

--Jeff

On Mon, Jul 25, 2016 at 1:39 PM, 'Michael Fischer' via Vault

> https://groups.google.com/d/msgid/vault-tool/CABHxtY7xWLiir_Zf56YC0BB8sJ2%2BqLYUcu0GoJeTXFR%3DnD_gmw%40mail.gmail.com.