vault unwrap on windows
159 views
Skip to first unread message
Jesse Palmer
Oct 13, 2016, 1:57:31 AM10/13/16
to Vault
Authenticating with root token, I am able to run the following on linux to get the role-id and secret-id:
vault write auth/approle/role/testrole secret_id_ttl=10m
vault read -wrap-ttl=5m auth/approle/role/testrole/role-id
vault unwrap <wrapping token>
vault write -wrap-ttl=5m -f auth/approle/role/testrole/secret-id
vault unwrap <wrapping token>
However, when I do the same on windows I get the following when attempting to unwrap:
"no value found at cubbyhole/response"
Any ideas?
Thanks.
Jeff Mitchell
Oct 13, 2016, 9:51:28 AM10/13/16
to vault...@googlegroups.com
What version of Vault?
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2410ca44-5cd9-4a6d-a3b6-3f6a558e3846%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2410ca44-5cd9-4a6d-a3b6-3f6a558e3846%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jesse Palmer
Oct 13, 2016, 9:57:25 AM10/13/16
to Vault
0.6.2
Jeff Mitchell
Oct 13, 2016, 10:12:51 AM10/13/16
to vault...@googlegroups.com
I'm not able to replicate:
PS > $env:VAULT_ADDR = "http://127.0.0.1:8200"
PS > .\vault write secret/foo zip=zap
Success! Data written to: secret/foo
PS > .\vault read -wrap-ttl=5m secret/foo
Key Value
--- -----
wrapping_token: 2c09df5e-8c07-2373-d6c0-0e511ad4aff3
wrapping_token_ttl: 5m0s
wrapping_token_creation_time: 2016-10-13 10:10:49.6189475 -0400 EDT
PS > .\vault unwrap 2c09df5e-8c07-2373-d6c0-0e511ad4aff3
Key Value
--- -----
refresh_interval 768h0m0s
zip zap
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/23046433-76df-446b-bcb6-ef8e86a3044e%40googlegroups.com.
PS > $env:VAULT_ADDR = "http://127.0.0.1:8200"
PS > .\vault write secret/foo zip=zap
Success! Data written to: secret/foo
PS > .\vault read -wrap-ttl=5m secret/foo
Key Value
--- -----
wrapping_token: 2c09df5e-8c07-2373-d6c0-0e511ad4aff3
wrapping_token_ttl: 5m0s
wrapping_token_creation_time: 2016-10-13 10:10:49.6189475 -0400 EDT
PS > .\vault unwrap 2c09df5e-8c07-2373-d6c0-0e511ad4aff3
Key Value
--- -----
refresh_interval 768h0m0s
zip zap
Best,
Jeff
Jesse Palmer
Oct 13, 2016, 10:34:34 AM10/13/16
to Vault
Strange, I ran your commands but got the same error...
PS C:\temp> .\vault write secret/foo zip=zap
Success! Data written to: secret/foo
PS C:\temp> .\vault read -wrap-ttl=5m secret/foo
Key Value
--- -----
wrapping_token: 154ecaf9-b071-f916-81fc-8a871f8bc046
wrapping_token_ttl: 5m0s
wrapping_token_creation_time: 2016-10-13 10:31:47.413394307 -0400 EDT
PS C:\temp> .\vault unwrap 154ecaf9-b071-f916-81fc-8a871f8bc046
no value found at cubbyhole/response
Jeff Mitchell
Oct 13, 2016, 11:19:49 AM10/13/16
to vault...@googlegroups.com
Hi Jesse,
If you don't wrap the call, do you get the expected output?
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/d0d49f72-4271-4f3c-8fee-a6eb0e9ded01%40googlegroups.com.
If you don't wrap the call, do you get the expected output?
Best,
Jeff
Jesse Palmer
Oct 13, 2016, 12:07:20 PM10/13/16
to Vault
Hi Jeff,
Yes I get the expected output.
PS C:\temp> .\vault write secret/foo zip=zap
Success! Data written to: secret/foo
PS C:\temp> .\vault read secret/foo
Key Value
--- -----
refresh_interval 720h0m0s
zip zap
Jesse Palmer
Oct 14, 2016, 9:11:31 AM10/14/16
to Vault
I connected to a local dev vault instance and to another windows machine running a vault server, and was able to successfully unwrap in both cases.
This appears to be a bug when running vault client on windows connecting to a vault server on linux.
Jesse Palmer
Oct 14, 2016, 12:15:12 PM10/14/16
to Vault
Actually I take that back, the client was 0.6.2 and the server was 0.6.1, which was the issue since the path moved from cubbyhole/response to sys/wrapping in 0.6.2. I thought I downloaded
the client/server binaries at the same time, but looks like I was at the cusp of a release cycle.
Jeff Mitchell
Oct 14, 2016, 12:49:54 PM10/14/16
to vault...@googlegroups.com
Can you file a bug report? The location of the wrapped response did not change so that is a strange error to be getting.
Thanks,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b6c4c511-361b-4948-b42e-a4da86f5be13%40googlegroups.com.
Jeff Mitchell
Oct 18, 2016, 10:00:21 AM10/18/16
to vault...@googlegroups.com
I found the cause of this; it's a logic bug in the fallback for older
Vaults in the API.
The workaround for older Vaults is to use a vault read on
cubbyhole/response and parse the value manually or via e.g. jq to
slice and dice:
VAULT_TOKEN=$TOKEN vault read -field=response cubbyhole/response | jq .
In the next release of Vault you'll be able to use the unwrap command
against older Vaults, but you'll need to pass the token into the
function rather than setting it as the client token (e.g. vault unwrap
$TOKEN). This has to do with how the fallback logic works and the fact
that response-wrapped tokens are single-use.
Best,
Jeff
Vaults in the API.
The workaround for older Vaults is to use a vault read on
cubbyhole/response and parse the value manually or via e.g. jq to
slice and dice:
VAULT_TOKEN=$TOKEN vault read -field=response cubbyhole/response | jq .
In the next release of Vault you'll be able to use the unwrap command
against older Vaults, but you'll need to pass the token into the
function rather than setting it as the client token (e.g. vault unwrap
$TOKEN). This has to do with how the fallback logic works and the fact
that response-wrapped tokens are single-use.
Best,
Jeff
Jesse Palmer
Oct 19, 2016, 7:53:45 AM10/19/16
to Vault
Thanks Jeff.
Reply all
Reply to author
Forward
0 new messages