Vault v0.10.1 : Invalid path for a versioned K/V secrets engine

7,856 views
Skip to first unread message

Bhupendra Negi

unread,
Jun 5, 2018, 9:56:03 AM6/5/18
to Vault
Hi,

I am getting the following warning and not able to retrieve secret's value for approle authentication method enabled

ERROR:
Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation.

VAULT VERSION:
Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')

VAULT STATUS:

P:\>vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    1
Threshold       1
Version         0.10.1
Cluster Name    vault-cluster-b4e60564
Cluster ID      2092464e-63bc-1b0f-3cce-86aa36bf0fab
HA Enabled      false

BUT... Running the following commands and trying to retrieve secrets via Fiddler it works. We want the default KV V2 to work instead 

vault secrets disable secret 
vault secrets enable -version=1 -path=secret kv

INFO: The following works via Fiddler

http://127.0.0.1:8200/v1/auth/approle/login -- i am able to get the client token

--
Thanks
Bhupendra

Becca Petrin

unread,
Jun 5, 2018, 12:39:05 PM6/5/18
to Vault
Hi Bhupendra,

I was able to reproduce what you're seeing. I think the issue is with your call to http://127.0.0.1:8200/v1/secret/aws/us-east-1/rcd/servicing/sandbox/AppSettingKey - try http://127.0.0.1:8200/v1/secret/aws/us-east-1/rcd/servicing/sandbox instead. The key and value will be returned in the response body.

Here's a CLI example:
    • vault secrets disable secret
    • vault secrets enable -version=1 -path=secret kv
    • vault kv put secret/aws/us-east-1/rcd/servicing/sandbox AppSettingKey=SOMETHING
    • vault kv get secret/aws/us-east-1/rcd/servicing/sandbox
    I hope that helps!

    -Becca

    @Bhupi

    unread,
    Jun 5, 2018, 1:22:37 PM6/5/18
    to Vault
    Hi Becca,

    Prompt action much appreciated, Thanks a lot.

    #1 : I want to access the secrets with KV version 2(which i think is default in vault 0.10.1) without enabling v1 or in short i do not want to execute the below two vault commands to get rid of the mentioned error i.e; Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation.

    • vault secrets disable secret
    • vault secrets enable -version=1 -path=secret kv

    Becca Petrin

    unread,
    Jun 5, 2018, 4:22:33 PM6/5/18
    to Vault
    Hi Bhupendra,

    Yes, KV version 2 is the default in 10.1 so if you wish to use v2, you don't need to disable secret, then re-enable it.

    So here's how you'd directly read a particular secret in the CLI. Suppose you set a secret like so:
    • vault kv put secret fizz=buzz foo=bar
    You'd read only fizz's value like so:
    • vault kv get -field=fizz secret
    However, via the API there's no equivalent to adding a field parameter and only getting back that one field. The API returns the secret as one complete object it leave is to the caller to drill into the value(s) needed.

    -B

    Becca Petrin

    unread,
    Jun 5, 2018, 4:25:52 PM6/5/18
    to Vault
    :-) I was trying to type, "The API returns the secret as one complete object and leaves it to the caller to drill into the value(s) needed.

    @Bhupi

    unread,
    Jun 6, 2018, 5:36:46 AM6/6/18
    to Vault
    Hi Becca,


    --
    I do not know if I am explaining the issue I am facing correctly to you, let me reiterate the steps and let me know if you got this.

    VAULT CLI STEPS [Using Command Prompt on Windows 10]

    Step 1:   Starting VAULT Dev Server with token-id ="root"
    • vault server -dev -dev-root-token-id="root"
    Step 2: Setting VAULT_ADDR
    Step 3: Enable AppRole auth method
    • vault auth enable approle
    Step 4: Create policies [adminpolicy],[provisionerpolicy],[apppolicy]
    • vault policy write adminpolicy "C:\Project\IOC\2018\Vault Policies\admin-policy.hcl"
    • vault policy write provisionerpolicy "C:\Project\IOC\2018\Vault Policies\provisioner-policy.hcl"
    • vault policy write apppolicy "C:\Project\IOC\2018\Vault Policies\apppolicy-pol.hcl"
    Step 5: Create a new AppRole [testapprole] 
    • vault write auth/approle/role/testapprole secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40
    Step 6: Attach policy [adminpolicy],[provisionerpolicy],[apppolicy] to [testapprole] AppRole
    • vault write auth/approle/role/testapprole policies="adminpolicy, provisionerpolicy, apppolicy"
    Step 7: Read the [testapprole] AppRole to verify if [adminpolicy],[provisionerpolicy],[apppolicy]  policies are attached
    • vault read auth/approle/role/testapprole
    Step 8: Creating Secret [AppSettingKey=somesecretvalue] at secret/aws/us-east-1/rcd/servicing/sandbox
    • vault kv put secret/aws/us-east-1/rcd/servicing/sandbox AppSettingKey=somesecretvalue
    Step 9: Get Role ID and Secret ID for [testapprole] approle
    • vault read auth/approle/role/testapprole/role-id -- to be used in Fiddler to make request
    • vault write -f auth/approle/role/testapprole/secret-id --  to be used in Fiddler to make request
    FIDDLER STEPS

    Step 1: Making a POST request via Fiddler on http://127.0.0.1:8200/v1/auth/approle/login with the following Request Body Parameters
                {
                       "role_id":"b4f18e75-7c7c-2c60-ab82-2d58bccb9fba", -- Getting this from Vault CLI Step 9:
                       "secret_id":"957bceca-8953-d19b-3120-b79392975ad4" -- Getting this from Vault CLI Step 9:
                    }


    Response Received:

    {
         "request_id": "7e8c03cc-492d-0ce5-770f-15cca97c54d1",
         "lease_id": "",
         "renewable": false,
         "lease_duration": 0,
         "data": null,
         "wrap_info": null,
         "warnings": null,
         "auth": {
     "client_token": "c1019f2c-6873-77a8-be7c-8c2a7178bb4a",
         "accessor": "09bc2935-d85f-54ac-0e37-a253b1792ba8",
         "policies": [
         "adminpolicy",
         "apppolicy",
         "default",
         "provisionerpolicy"
         ],
         "metadata": {
         "role_name": "testapprole"
         },
         "lease_duration": 1200,
         "renewable": true,
         "entity_id": "434c464c-4172-d737-f077-4a1f64c2c239"
         }
    }


    Step 2: Trying to access created secrets by making a POST or GET request on http://127.0.0.1:8200/v1/secret/aws/us-east-1/rcd/servicing/sandbox/ via Fiddler with the following headers including the client token retrieved in Step 1 post successful authentication

    User-Agent: Fiddler
    Host: 127.0.0.1:8200
    Content-Length: 0
    X    -Vault-Token: c1019f2c-6873-77a8-be7c-8c2a7178bb4a


    Response Received:

    {
         "request_id": "c55f3dbe-fb86-33c9-ead3-86fad99f4e26",
         "lease_id": "",
         "renewable": false,
         "lease_duration": 0,
         "data": null,
         "wrap_info": null,
         "warnings": [

         "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."

         ],
         "auth": null
    }

    My concern is the warning received above in the response. How to to fix this. Its been few days I have done my best to get the resolution via groups and internet but could not do much here.

    VAULT VERSION:
    Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')

    VAULT STATUS    :
    P    :\>vault status
    Key             Value
    ---             -----
    Seal Type       shamir
    Sealed          false
    Total Shares    1
    Threshold       1
    Version         0.10.1
    Cluster Name    vault-cluster-b4e60564
    Cluster ID      2092464e-63bc-1b0f-3cce-86aa36bf0fab
    HA     Enabled      false


    --
    Thanks
    Bhupendra

    Praneeth Cy

    unread,
    Jun 6, 2018, 10:04:39 AM6/6/18
    to Vault
    Hi Bhupendra,

    This is how I'd do it for KV Sceret engine v2:

    url:


    headers:

     X-Vault-Token: topsecret
    Content-Type: application/json

    Payload

    {
      "options": {
          "cas": 0
      },
      "data": {
          "foo": "bar"
        }
    }

    Hope this helps. 


    Thanks
    Praneeth

    @Bhupi

    unread,
    Jun 6, 2018, 10:31:42 AM6/6/18
    to Vault
    Thanks i appreciate your help, I got this covered by following the below link after searching a lot  


    I would request if we can mention this link in similar issues over Vault gitHub issues , this will save lot of time

    Bhupendra

    Prashanth M

    unread,
    Oct 22, 2018, 9:40:13 AM10/22/18
    to Vault
    Hi,

    I created a local vault dev server and created a secret in 'secret/test' path. now i am trying to access the secret from c# with the below piece of code,

    var kv2Secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync("secret/test");

    but i am getting the error 

    "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation"

    I am not sure how to specify the path name in the code, could you please help me on the above
    Reply all
    Reply to author
    Forward
    0 new messages