What is the REST api for read and wrap the secrets in the vault
821 views
Skip to first unread message
Will Pinney
Mar 30, 2017, 5:43:47 PM3/30/17
to Vault
Hi,
I would like to know how to do step #2 and #3 below via the REST api. I only find the documentation here: https://www.vaultproject.io/api/system/wrapping-wrap.html
But I can see how I use it without retrieving the actual secret data first before the REST API call to /sys/wrapping/wrap endpoint. Can step #2 be done in one single REST API call to the vault?
#1. Write secret k/v pairs
vault write secret/test k1=k1secret k2=k2secret
#2. Read them and wrap them
vault read -wrap-ttl=60s secret/test
Key Value
--- -----
wrapping_token: 023bbbb8-bdae-yyyy-yyyy-1688eebf598b
wrapping_token_ttl: 60
wrapping_token_creation_time: 2016-06-28 00:36:37.795712351 +0000 UTC
#3. Unwrap of field directly is fine
vault unwrap -field=k1 023bbbb8-bdae-yyyy-yyyy-1688eebf598b
k1secret
Thanks.
Will
Brian Kassouf
Mar 30, 2017, 6:32:56 PM3/30/17
to vault...@googlegroups.com
Hi Will,
Step #2 can be done via adding the X-Vault-Wrap-TTL header to a
standard http GET request. This will wrap the response from the read
request and return a wrapping token. More information can be found
here: https://www.vaultproject.io/docs/secrets/cubbyhole/index.html#response-wrapping
As for #3 you should be able to use the /sys/wrapping/unwrap endpoint
defined here: https://www.vaultproject.io/api/system/wrapping-unwrap.html
The "-field=k1" flag is just CLI magic and is not supported in the API.
Hope this helps,
Brian
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/9437aaf8-0b5b-4d64-a91b-bf2a765bd3fc%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Step #2 can be done via adding the X-Vault-Wrap-TTL header to a
standard http GET request. This will wrap the response from the read
request and return a wrapping token. More information can be found
here: https://www.vaultproject.io/docs/secrets/cubbyhole/index.html#response-wrapping
As for #3 you should be able to use the /sys/wrapping/unwrap endpoint
defined here: https://www.vaultproject.io/api/system/wrapping-unwrap.html
The "-field=k1" flag is just CLI magic and is not supported in the API.
Hope this helps,
Brian
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/9437aaf8-0b5b-4d64-a91b-bf2a765bd3fc%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages