I have created a role with default policy. I have role_id and secret_id with me for that role.
I used the rest api to login as below and fetched the client secret.
http://localhost:8200/vi/auth/approle/login
using the same secret I logged in to vault and created a secret under ‘cubbyhole’ secret engine.
Now, I am not able to read the secret using the role_id and secret_id.
My goal is to read secrets based on role_id and secret id without using Access Token.
Need urgent help.
I’m not an expert, but I don’t think there is a way to access protected paths without a token. For approle, the purpose, the purpose of the role_id and secret_id is to obtain token, and then use that token to access the data. Can’t the client use those to login and generate a new token?
Thanks for the response! I too am trying to read a secret using a token. The token is retrieved by passing the role_id and secret_id to the login api. However, every time I try to access the stored secret, I am getting a permission error.
Following are the overall steps that I have followed :
path “secret/*” {
capabilities = [ “create”, “read”, “update”, “delete” ]
}
Created a role with ‘token_policies’ as
Fetched role_id and secret_id through Rest API’s for that particular role
Fetched client token based on role_id and secret_id through rest API
Logged in to vault with the client token got in previous step
There when I click secret I get ‘Not Authorized’
Any help is appreciated.
If you’re using KV version 2, the path is a little different. It’s secret/data/whatever_your_secret_is
what path are you trying to read ? also, just need to double check that KV is in fact mounted to the secret/ path and not kv/ path?
I am trying to read secret/data/my Secret.
Yes, it’s mounted on secret/ but not kv/.
Is there any way you could paste in your configuration you have for your approle and your policy definitions? I think that would help troubleshoot this.
Role details :
{
“request_id”: “762466f3-c2f0-ae5f-5e36-6386a4f2501c”,
“lease_id”: “”,
“renewable”: false,
“lease_duration”: 0,
“data”: {
“bind_secret_id”: true,
“local_secret_ids”: false,
“policies”: [
“policyallperm”
],
“secret_id_bound_cidrs”: null,
“secret_id_num_uses”: 0,
“secret_id_ttl”: 0,
“token_bound_cidrs”: ,
“token_explicit_max_ttl”: 0,
“token_max_ttl”: 14400,
“token_no_default_policy”: false,
“token_num_uses”: 0,
“token_period”: 0,
“token_policies”: [
“policyallperm”
],
“token_ttl”: 3600,
“token_type”: “default”
},
“wrap_info”: null,
“warnings”: null,
“auth”: null
}
Policy Details :
path “secret/*” {
capabilities = [ “create”, “read”, “update”, “delete” ]
}
For your policy details, is that part of policy “policyallperm”?
Yes, it is part of policyallperm
I know you kind of went over this already, but I don’t have any more ideas 
.
You said you were using cubbyhole. That usually mounts at /cubbyhole. I can’t think of anything else, maybe someone else has some ideas.
Cubbyholes are per-token; when the token expires, the cubbyhole is destroyed. So even if you’re using the same role_id and secret_id, if the token has changed the data you wrote to the cubbyhole can no longer be accessed.
Thanks for the response! I too am trying to read a secret using a token. The token is retrieved by passing the role_id and secret_id to the login api. However, every time I try to access the stored secret, I am getting a permission error.
Following are the overall steps that I have followed :
path “secret/*” {
capabilities = [ “create”, “read”, “update”, “delete” ]
}
Any help is appreciated.
I have tried with secret as well.