/aws/roles/ POST API how to pass policy in JSON
586 views
Skip to first unread message
Hridyesh Pant
Feb 10, 2016, 7:26:48 AM2/10/16
to Vault
HI,
I am trying to use API to create role ,as per documentÂ
>>
/aws/roles/
POSTÂ
DESCRIPTION
Creates or updates a named role.
METHOD POST
URL /aws/roles/<name>
PARAMETERS policy required The IAM policy in JSON format.
RETURNS A 204 response code.
>>
 my question is how to pass JSON policy , i tried to pass policy as {"Version": "2012-10-17","Statement": {"Effect": "Allow","Action": "iam:*","Resource": "*"}}
but i am getting error sayingÂ
{"errors":["Error compacting policy: unexpected end of JSON input"]}
curl: (3) [globbing] unmatched brace in column 1
curl: (6) Could not resolve host: 2012-10-17,Statement
curl: (3) [globbing] unmatched brace in column 1
can you please suggest me what is wrong in my json format?
Also is there way to pass json file  in below command rather then passing long JSON format?
curl -H "X-Vault-Token: *****" -X POSTÂ http://127.0.0.1:8200/v1/aws/roles/hpant_s3 Â <JSON_FILE>
Jeff Mitchell
Feb 10, 2016, 12:35:11 PM2/10/16
to vault...@googlegroups.com
Hi Hridyesh,
I believe you can use @file to pass in a file as data -- see
http://stackoverflow.com/a/3008448
Passing JSON on the command line can be difficult due to escaping
needs, so a file can certainly help.
Thanks,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/509e116c-c234-40f6-8a91-f99b112cf65a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
I believe you can use @file to pass in a file as data -- see
http://stackoverflow.com/a/3008448
Passing JSON on the command line can be difficult due to escaping
needs, so a file can certainly help.
Thanks,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/509e116c-c234-40f6-8a91-f99b112cf65a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Hridyesh Pant
Feb 10, 2016, 7:37:46 PM2/10/16
to Vault
Thanks Jeff
i tried with @file but still giving same errorÂ
>>{"errors":["Error compacting policy: unexpected end of JSON input"]}
my file data is below, not sure why it is complaining unexpected end of JSON input even through JSON format is right?
{
 "Version": "2012-10-17",
 "Statement": {
  "Effect": "Allow",
  "Action": "iam:*",
  "Resource": "*"
 }
}
--Thanks
Hridyesh
Vishal Nayak
Feb 10, 2016, 8:35:12 PM2/10/16
to Vault
Hi Hridyesh,
I tried to creating the roles locally and did not face any issues.
vault write aws/config/root access_key=ABCD secret_key=EFGH region=us-east-1
vault write aws/roles/test policy=@iampolicy.json
vault read aws/creds/test
Key       Value
lease_id     aws/creds/deploy/ba96f3f7-d2bf-b7d4
lease_duration  2592000
lease_renewable true
access_key    IJKL
secret_key    MNOP
security_token  <nil>
Contents of iampolicy.json is exactly what you provided.
Re-verify the contents of the policy file. You can check the validity of JSON here:Â http://jsonlint.com/
Regards,
Vishal
Hridyesh Pant
Feb 10, 2016, 9:33:27 PM2/10/16
to Vault
i am not using same box where the vault is installed. Same things working fine with ./vault write aws/roles/deploy policy=@s3_policy.json in same boxÂ
i am trying using API from other box like curl -H "X-Vault-Token: *****" -X POST http://127.0.0.1:8200/v1/aws/roles/s3_policy  <JSON_FILE>
--Thanks
--Thanks
Hridyesh
Vishal Nayak
Feb 10, 2016, 10:28:24 PM2/10/16
to Vault
Hi Hridyesh,
In this case use should use "--data" (or -d) to pass arguments to the API.
curl -H "X-Vault-Token:xxx" -X POST "http://127.0.0.1:8200/v1/aws/roles/test" --data @iampolicy.json
Contents of policy file is this:
{"policy":"{ \"Version\":\"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"iam:*\", \"Resource\": \"*\" } }"}
Let us know if this works for you!
Regards,
Vishal
Hridyesh Pant
Feb 11, 2016, 12:21:28 AM2/11/16
to Vault
yes Vishal . that works but this is really frustrating for user to make JSON file with \ escaping . why can vault handle simpale JSON format .
Works :Â {"policy":"{ \"Version\":\"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"iam:*\", \"Resource\": \"*\" } }"}
Doesn't work : {"policy":"{ "Version":"2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:*", "Resource": "*" } }"}
--Thanks
Hridyesh
Vishal Nayak
Feb 11, 2016, 9:17:05 AM2/11/16
to Vault
Hi Hridyesh,
It is not about Vault not handling JSON format. Vault accepts all valid JSON objects.
In this case, Vault expects the policy to be a string object. Hence the value part of "policy" has to be a string rather than another embedded JSON object.
Hence the escaping.Â
I am sure there is a way to escape the JSON object into a string in command line and then supplied as value to policy, before sending it to Vault.
Try to look for it.
Regards,
Vishal
Michael Fischer
Feb 11, 2016, 9:31:55 AM2/11/16
to vault...@googlegroups.com
I agree with Hridyesh on this point - why can't it accept a JSON object as a value? I realize the string requirement is there so you can pass in an HCL-format policy, but if your policy is in JSON format, it seems pointless and confusing to have to escape it first.Â
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/11a8b34a-c839-4a7a-94be-778cab305b49%40googlegroups.com.
Jeff Mitchell
Feb 11, 2016, 10:47:55 AM2/11/16
to vault...@googlegroups.com
I'm happy to provide an explanation, but first let me note something
that will seem pedantic, but isn't (as I'll explain): Vault *is*
accepting a JSON object: { "policy": "<the policy string>" }.
What's happening here is that the backend is using built-in
validators/helpers on the contents of the data passed to it, and there
is no such validator for JSON. Either for that reason, or for some
other reason, the backend author chose to have the value for the
"policy" key be a string.
I don't know of anything in Vault's core that would stop a Vault
backend from manually decoding JSON; so to answer the question "why
can't it accept a JSON object as a value?" the answer is "it can".
This endpoint in this backend simply doesn't.
PRs to add this support are welcome; I don't think it'd be difficult
and I'm happy to suggest an implementation method if anyone
volunteers.
--Jeff
> https://groups.google.com/d/msgid/vault-tool/CABHxtY5eqdSfJC%3D8mLBRMpB1O%3Dc5HqL%2BzGSziQAGgY0oGOwd1w%40mail.gmail.com.
that will seem pedantic, but isn't (as I'll explain): Vault *is*
accepting a JSON object: { "policy": "<the policy string>" }.
What's happening here is that the backend is using built-in
validators/helpers on the contents of the data passed to it, and there
is no such validator for JSON. Either for that reason, or for some
other reason, the backend author chose to have the value for the
"policy" key be a string.
I don't know of anything in Vault's core that would stop a Vault
backend from manually decoding JSON; so to answer the question "why
can't it accept a JSON object as a value?" the answer is "it can".
This endpoint in this backend simply doesn't.
PRs to add this support are welcome; I don't think it'd be difficult
and I'm happy to suggest an implementation method if anyone
volunteers.
--Jeff
Jeff Mitchell
Feb 11, 2016, 11:24:28 AM2/11/16
to vault...@googlegroups.com
By the way, you can use the excellent 'jq' to escape JSON for you,
which can help quite a bit:
$ echo '{ "Version":"2012-10-17", "Statement": { "Effect": "Allow",
"Action": "iam:*", "Resource": "*" } }' | jq '@json'
"{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"iam:*\",\"Resource\":\"*\"}}"
--Jeff
which can help quite a bit:
$ echo '{ "Version":"2012-10-17", "Statement": { "Effect": "Allow",
"Action": "iam:*", "Resource": "*" } }' | jq '@json'
"{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"iam:*\",\"Resource\":\"*\"}}"
--Jeff
Reply all
Reply to author
Forward
0 new messages