HTTP API to List secrets?

Vault
1

We have an approle with a policy called dev-healthcheck that looks like this:

path "dev-healthcheck/*" {
  capabilities = ["list"]
}
path "envdev/*" {
  capabilities = ["list"]
}

path "envqa/*" {
  capabilities = ["list"]
}

path "envqa2/*" {
  capabilities = ["list"]
}

path "envstage/*" {
  capabilities = ["list"]
}

We are going to need to list the secrets in each of those KV engines listed above.
Now, I’m trying to login using this app-role’s role-id and secret-id and then listing the secrets by using this Powershell code but I’m getting a permission denied.
($secret , $api are passed via cmd line)

# role-id and secret-id have been used to login 
# and the vault_url, vault_token and vault_namespace have been set in 
# the environment variables
$uri = "$($env:VAULT_ADDR)" +"/v1/$($secret)/data/$($api)?LIST=true"
$header = @{
			"X-Vault-Token" =  "$($env:VAULT_TOKEN)"
			"X-Vault-Namespace" = "$($env:VAULT_NAMESPACE)"
		}
#***************************************************************
# Run the command to list the secrets
#***************************************************************
try
{
    $response = Invoke-RestMethod -Headers $header -ContentType 'application/json' -Method GET -Uri $uri
}
catch 
{
    #***************************************************************
    # There was an error so show error message
    #***************************************************************
    $msg = $_.Exception.Message
    $status = $_.Exception.Status
    $hr = "{0:x8}" -f ($_.Exception.HResult)
    $innerException = $_.Exception.InnerException
    #Just issue a warning about being unable to send the notification...
    Write-Warning("`n`t[$status] `n`t[0x$hr] `n`t[$msg] `n`t[$innerException]")
}
#***************************************************************
# Display the secrets list
#***************************************************************
$response.data.data

I can list them using the vault API like this:
vault kv list envqa

So, what am I doing wrong in the Powershell code?

2

Are you trying to get the data, or just a list of the secrets?

If you are just trying to get a list of the secret keys try
KV v2: KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer
KV v1: KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer

Depending on your version of PowerShell, you may have to upgrade to 6 or 7 to be able to use list via -CustomMethod ‘LIST’.

Here is an example from a kv v1 with -CustomMethod using the same header setup you shared to list the secret keys

 Invoke-RestMethod -Headers $header -ContentType 'application/json' -CustomMethod 'LIST' -Uri "https://vault-cluster-addr:8200/v1/dev-healthcheck" | ConvertTo-Json
{
  "request_id": "b78fd4f9-ffa9-2e7e-ab41-0fcb5bb4c881",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "test1"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}
3

Actually, I finally figured it out, the URL needs to be:
$($env:VAULT_ADDR)" +"/v1/$($secret)/metadata?list=true"
where the vault_addr is set in an environment variable and the $secret is passed.

1 Like
4

Great - glad you got it working!