Using generic backend to save contents of crt file

[Mike S]

I can use the Vault CLI to successfully write the contents of a crt file as a secret to the generic backend. I can then get the secret from Vault with the CLI and pipe it to a file. A diff shows a perfect match. Here are the commands used:
vault write -field=data -format=raw bmsec/rawcrt data=@/home/myid/test/mycrt.crt
vault read -field=data bmsec/rawcrt > /home/myid/test/rawcrt.crt

However when I try use the Vault API to write the contents of a crt file as a secret to the generic backend I get an error. The curl command used is:
curl -v -X POST 'http://my.system:8200/v1/bmsec/rawcrt?format=raw;field=data' -H 'Content-Type: text/plain' -H 'x-vault-token: f67a7169-c730-7cbf-ddf0-850256ad94a1' -d @/home/myid/test/mycrt.crt

The error reported is:
{"errors":["failed to parse JSON input: invalid character '-' in numeric literal"]}

Is the usage/syntax incorrect, or does the API not support the "raw" parameter?

Thanks for any help.

[Mike S]

Still interested if anyone has successfully used the "raw" parameter via the API to store the contents of a file as a secret to the generic backend.

[Jeff Mitchell]

Hi Mike,

Where did you see 'raw' and 'field' options? Those are not Vault options. The issue you're having is that Vault is expecting the data to come in as a JSON object and you're passing it straight bytes.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f3cd0965-b19b-413d-be69-6acd57d21be6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Mike S]

Hi Jeff,

Thanks for the reply.

I initially saw the format options mentioned here in this issue:
https://github.com/hashicorp/vault/issues/205

It's not clear these options are supported, but I tried using them with the CLI and they worked (or were at least accepted). If the options are not supported, shouldn't the CLI have given some sort of syntax error?

Thanks.

Mike

On Wednesday, April 26, 2017 at 11:30:39 AM UTC-4, Mike S wrote:

[Jeff Mitchell]

Hi Mike,

The CLI ignores flags that it doesn't know. Both 'format' and 'field' are valid, but not in the way you're using them. You can see the description of what those do via 'vault read -h'. In 0.7.1 we will likely have a 'raw' format but it will be the raw JSON returned from the Vault API. If you look at the output of 'vault write -h' you'll see that those are *output* options for returned data, not input options.

Remember, Vault's API is JSON. If you're writing a binary file to it, you need to first base64 or use some other transform that produces values acceptable to JSON. So it might look something like:

cat /home/myid/test/mycrt.crt | base64 | vault write bmsec/rawcrt cert=-
vault read -field=cert bmsec/rawcrt | base64 -D | /home/myid/test/rawcrt.crt

Best,

Jeff

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9de757c4-1795-41ca-b741-9ab75a90bd51%40googlegroups.com.