Listing backend that contains secrets returns "No value found"

[ken....@cloudlock.com]

Hello,

I'm trying get the `list` command working, and when I use a path that I know has secrets, like `secret/`, and that my user has access to, I get `No value found`. I've tried running the same command on the server, and get the same response. I've also tried using a brand new mount, as well as the API, none of which returned a list of the secrets, as I expect.

Both the client and the sever are running v0.52

Thanks

[ken....@cloudlock.com]

When I use the API, I get this response:

curl -X LIST -H "X-Vault-Token: <my_token>" $VAULT_ADDR/v1/secret
{"errors":[]}

[vishal nayak]

Hi Ken,

Can you cross check if the secrets are being able to be read from any of the paths in 'secret/'?

Regards,

Vishal

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8c4e880f-dbad-4c58-96e7-88608fa1a8c5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[ken....@cloudlock.com]

Yep, the secrets are able to be read from the root path, so `vault read secret/ken` returns an expected value

[ken....@cloudlock.com]

Any ideas?

[vishal nayak]

Hi Ken,

This is a strange behavior.

I am not able to understand what could be wrong there.

Running out of thoughts in tackling this.

If the token does not have enough permissions, you should get a "permission denied". So, that's not a problem.

Just to rule out this possibility of permissions coming in the way, can you try listing with 'root' token, if not already?

Regards,

Vishal

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9ffb1a34-6979-4852-8b8c-71d13197e7af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[David Adams]

You can also try this to double-check your token's permissions on that path:

curl -is -XPOST -H "X-Vault-Token: <your-token>" $VAULT_ADDR/v1/sys/capabilities-self -d '{"path":"secret"}'

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFy0tpyKeBhdtdkEmTbZ00BH9zJ5YetGOPtib8N6iePFYqk15A%40mail.gmail.com.

[ken....@cloudlock.com]

So when I do that, I get this response:

HTTP/1.1 500 Internal Server Error

Content-Type: application/json

Date: Thu, 16 Jun 2016 15:11:14 GMT

Content-Length: 32

{"errors":["unsupported path"]}

[ken....@cloudlock.com]

Also tried with the root token and got the same "No value found" error

[Jeff Mitchell]

Hi Ken,

Can you list your Vault configuration? I'm wondering if one of the
storage backends has a bug here.

Also, your use case so far is:

secret/foo
vault list secret/

Can you see if this works for you (both should, but please humor me)?

secret/foo/bar
vault list secret/foo

Thanks,
Jeff

> https://groups.google.com/d/msgid/vault-tool/ccc64a7f-5189-4c8f-9021-c78b7443d761%40googlegroups.com.

[Ken Petti]

What's the best way to dump the configuration?

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/c-5DU8xbe6c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEx-D3pXNjP7drjCP0Qii%2B%2Bx2E6MUoOx7X_NQg1w4an6g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
Sent from my phone, please excuse typos and brevity.

[Jeff Mitchell]

Hi Ken,

You can either paste your config file, or when Vault starts up it
shows a number of configuration items in its log (which is the
foreground stdout if not redirected).

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/CA%2BrtQkpnZyZnvLZnTCDxSuF7MgqipfKog0jvS%3DrWFtskE%3DGmAg%40mail.gmail.com.

[Ken Petti]

The config file:

backend "consul" {

  address = "127.0.0.1:8500"

  path = "vault"

}

listener "tcp" {

 address = "127.0.0.1:8200"

 tls_cert_file = "/etc/ssl/private/vault_poc.cert"

 tls_key_file = "/etc/ssl/private/vault_poc.key"

}

//listener "tcp" {

// address = "0.0.0.0:8200"

// tls_disable = 1

//}

disable_mlock = true

The startup config:

[root@vault-poc ~]# vault server -config=example.hcl                                                                                                                                                                                   

==> Vault server configuration:

         Log Level: info

             Mlock: supported: true, enabled: false

           Backend: consul (HA available)

 Advertise Address: https://xxx.xx.xx.xxx:8200

        Listener 1: tcp (addr: "0.0.0.0:8200", tls: "enabled")

==> Vault server started! Log data will stream in below:

(I x'd our IP address)

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GG%3DWZATxkQJ5JF9OFLW%2BzZ3YpC_%3D36kxzPUuWm7nBkCVg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Jeff Mitchell]

Config looks fine...how about the commands? Did they return what was expected?

Thanks,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CA%2BrtQkrbk4SxDs6cuQ6qRm0sidF7ahxi%3DSo-8SU8BbF1LVcxzA%40mail.gmail.com.

[Ken Petti]

Haven't tried yet. Were you saying I should write a secret at secret/foo/bar first?

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHMUp8XFSM6DYHy1%2BN3yZvusQ3%2B8Md%2BQpmgvQOrZ9Rsww%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Ken Petti

Software Development Engineer in Test 

E-Mail: ken....@cloudlock.com

  

CloudLock provides compliance and security solutions for enterprises using public cloud applications like Salesforce and Google Apps. The largest organizations in the world trust CloudLock to secure their data.

[Jeff Mitchell]

Yes... Basically I'm wondering if somehow you are having an issue listing the mount root but further paths work, or listing generally.

Thanks,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CA%2BrtQkpPu%3De2KhsEULyk62r7r6S0FT7AawW1taXNwaGnQmZ-JA%40mail.gmail.com.

[Ken Petti]

[ubuntu@vault-poc ~]$ vault list -ca-path=/usr/local/share/ca-certificates/vault_poc.cert secret/foo
No value found at secret/foo/

:/ Thanks for all your help, this has been a real blocker for our implementation here.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GH4%2BVychu7sxHej_CZn9X6iJkZcovJJWHc3-AvuEOmfdQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Jeff Mitchell]

Hi Ken,

I'm going to take this thread private so that I can get some more detailed info.

Best,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CA%2BrtQkpOS3zsWTtcvtu5OhAVVb33xcdTuwnuWXXHMCyYw84eZQ%40mail.gmail.com.

[ken....@cloudlock.com]

This has been resolved, just want to follow up. We created a new user to try running the Vault server, and in the process of copying files out of root/the default user to our new user's home dir, we discovered that we had multiple binaries on the machine. The server was being run by root, but I'd updated/verified the version/verified config info based on the copy of the binary in our default user, as we often run things as that user. It wasn't until I killed all running servers and tried it as a new user did I realize we were using the wrong version :/.

Thanks guys, real impressed with the product and esp. the support!

>> > email to vault-tool+unsubscribe@googlegroups.com.

>> > To view this discussion on the web visit
>> >
>> > https://groups.google.com/d/msgid/vault-tool/ccc64a7f-5189-4c8f-9021-c78b7443d761%40googlegroups.com.
>> >
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> This mailing list is governed under the HashiCorp Community Guidelines -
>> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
>> of those guidelines may result in your removal from this mailing list.
>>
>> GitHub Issues: https://github.com/hashicorp/vault/issues
>> IRC: #vault-tool on Freenode
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Vault" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/vault-tool/c-5DU8xbe6c/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> vault-tool+unsubscribe@googlegroups.com.

>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/vault-tool/CAORe8GEx-D3pXNjP7drjCP0Qii%2B%2Bx2E6MUoOx7X_NQg1w4an6g%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Sent from my phone, please excuse typos and brevity.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to vault-tool+unsubscribe@googlegroups.com.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/CA%2BrtQkpnZyZnvLZnTCDxSuF7MgqipfKog0jvS%3DrWFtskE%3DGmAg%40mail.gmail.com.
>
> For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/c-5DU8xbe6c/unsubscribe.

To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.