Policy required to push Custom Secret-IDs via API not working

MrBaseball34 · June 1, 2023, 3:27pm

I understand how to push custom secret-ids to the app role via the API, however, we have a CICD app role that is supposed to have the capabilities to do this for app my app roles, here’s my policy:

# Grant permissions on the 'auth/approle/role/+/secret-id' path
path "auth/approle/role/+/secret-id" {
   capabilities = [ "create", "update" ]
}

# Grant permission on the 'auth/approle/role/+/custom-secret-id' path
path "auth/approle/role/+/cusom-secret-id" {
   capabilities = [ "create", "update" ]
}

But I keep getting Permission Denied when I login with my CICD App Role.

Any ideas?

maxb · June 1, 2023, 3:30pm

You misspelt the word cusom in the URL path in the policy.

MrBaseball34 · June 1, 2023, 3:36pm

Thanks, I’ve been working on a Powershell script to do this for 4 hrs and my eyes aren’t as young as they used to be. Using the CLI works
vault write -f auth/approle/role/<MyAppRole>/custom-secret-id secret_id=<new-secret-id>
but I’m having issues with my Powershell script.
$approle is passed in to the function

try
{
	$uri = "$($env:VAULT_ADDR)" + "/v1/auth/approle/role/$($approle)/custom-secret-id"
	$header = @{
		"X-Vault-Token"="$($env:VAULT_TOKEN)"
	}
    $GUID = [guid]::NewGuid()

    $payload = 
	@{
        "secret_id"="$($GUID)"
        "ttl"=0
        } | ConvertTo-Json
    Write-Host "Sending Custom Secret-ID"
	$response = Invoke-RestMethod -Headers $header -ContentType 'application/json' -Method POST -Uri $uri -Body $payload
	#***************************************************************
	# Here, I'll be pushing the new secret-id to another PS script
	# so that it can be set in the environment variables on the
	# server that our software is being deployed to.
	#***************************************************************
}
catch [System.Net.WebException]
{
	$msg = $_.Exception.Message + ": in PushCustomSecretID: $($response)"
	$status = $_.Exception.Status
	$hr = "{0:x8}" -f ($_.Exception.HResult)
	$innerException = $_.Exception.InnerException
    $h = $header | ConvertTo-Json
	#Just issue a warning about being unable to send the notification...
	Write-Warning("`n`t[$status] `n`t[0x$hr] `n`t[$msg] `n`t[$innerException]`n`n[URI] $uri`n`t[Header] $h`n`t[Payload] $payload")
    return $False
}

I’m getting a 403 Forbidden error for some reason.

maxb · June 1, 2023, 4:30pm

I don’t really do Windows any more.

You could try consulting the Vault audit log, to see what request is actually arriving at Vault.

MrBaseball34 · June 1, 2023, 5:01pm

I don’t have access to that in my company.

maxb · June 1, 2023, 5:19pm

It is very easy to run a local Vault server - you just run vault server -dev.

You could then test things out on a local Vault that you have full control over.

MrBaseball34 · June 5, 2023, 7:25pm

After taking the time to set things up, I get NO ERRORS when running this with a local server.

macmiranda · June 5, 2023, 8:40pm

Perhaps what’s sending the 403 isn’t Vault but something in between your PC and the Vault server.

MrBaseball34 · June 5, 2023, 9:08pm

After more testing, I noticed that I was using a PUT vs. a POST, maybe that was it? Because when I changed it to a POST, it looks like it has begun working.