Data is not written to disk from custom plugin

lior · April 23, 2023, 1:00pm

I wrote a custom plugin and enabled it successfully. I can see it at the secrets list:

Path          Type         Accessor              Description
----          ----         --------              -----------
my/           myplugin    my_17369d75            My local plugin
cubbyhole/    cubbyhole    cubbyhole_10c1fbe7    per-token private secret storage
identity/     identity     identity_e4c40d5b     identity store
sys/          system       system_23e8ac04       system endpoints used for control, policy and debugging
transit/      transit      transit_ac536f20      n/a

I sent an HTTP POST request and received a response.
I tried to read the value with read command:

vault read my/id

When I’m trying to read the value I received an error:

No value found at my/id

maxb · April 23, 2023, 6:29pm

Uh… it’s a custom plugin… the behaviour is entirely determined by code that you wrote.

Since you haven’t shown us that code, we have no idea what the correct response would be!

lior · April 24, 2023, 8:12am

My code:

package backend

import (
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

func foo(b *backend) *framework.Path {
	return &framework.Path{
		Pattern:      "path/" + framework.GenericNameRegex("name") + "/my",
		HelpSynopsis: "Create and Sign a transaction object.",


		ExistenceCheck: b.pathExistenceCheck,
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.CreateOperation: b.boo,
		},
	}
}

The implementation of boo:

func (b *backend) boo(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	...

	booObject, err := b.createboo()
	...
	
	return &logical.Response{
		Data: map[string]interface{}{
			"txid":                transaction.TxID,
			"source_address":      transaction.SourceAddress,
			"destination_address": transaction.DestinationAddress,
			"amount":              transaction.Amount,
			"unsignedtx":          transaction.UnsignedTx,
			"signedtx":            transaction.SignedTx,
		},
	}, nil
}

I will make my question clear: How can I write a data to the vault secrets when I’m writing custom plugin?

maxb · April 24, 2023, 8:33am

This regex clearly does not match the path in

and furthermore, you clearly haven’t implemented a ReadOperation in

so I’m not sure how you expect that read to return anything.

That’s not making it clear… I think you might be misunderstanding what a Vault secret is … it’s a piece of information managed by a Vault plugin… like the one you are writing. It’s not something that necessarily gets written as is. Vault has internal storage, which is used by plugins to store data that they need to track secrets… but that’s something the plugins do by calling other Vault APIs.

I think you might find it helpful to review the source code of the built in Vault K/V secrets plugin, which you can find at GitHub - hashicorp/vault-plugin-secrets-kv

lior · April 24, 2023, 8:47am

This is the part I was missing and haven’t any documentation about it!

The paths I wrote in the question and the code snippet are mocks and not my real implementation as I cannot share them.

My question is more conceptual about what APIs I need to implement in order to communicate with the vault secrets engine.

Is there any reference where the read operation is implement at the kv API?

maxb · April 24, 2023, 8:57am

That’s like turning up at the garage and asking them to tell you how to fix your car, but refusing them access to see your car.

You should consider writing a fully functional, testable, sharable mock, and only adding in confidential content once you have it working.

There is no comprehensive documentation for Vault plugin development, so the best learning source is picking an existing plugin and examining how it works, coupled with personal experimentation. That’s how I learned.

You might choose to start with vault-plugin-secrets-kv/passthrough.go at main · hashicorp/vault-plugin-secrets-kv · GitHub which is the implementation of the KV v1 secrets engine, which is a lot simpler that the KV v2 secrets engine (which is most of the rest of the code in that repository).

lior · April 24, 2023, 11:45am

Thank you for your answer, I will implement the read operation.

I’m suggesting that you’ll create a guide for developers who will help them easy going to the vault ecosystem.