Hello All,
Hoping someone could assist please?
Basically I am trying to use powershell to retrieve a secret from Vault using approle.
Unfortunately I am not a powershell expert as well. How can I achieve this using api call within a powershell script so that:
VAULT KV SECRET -----> Pass secret to POWERSHELL and store as a variable
Many thanks.
To further add to my initial post, I am trying to use this powershell command to get a client_token from an approle. However, having issues trying to retrieve the client_token and using that to get the KV secret
$Vault_Address = 'http://127.0.0.1:8200'
$VAULT_ROOT = $Vault_Address + '/v1'
$VAULT_LOGIN_APPROLE = $VAULT_ROOT+'/auth/approle/login'
$VAULT_KV_PATH = $VAULT_ROOT+'/kv/user'
$RoleID = 'fdacdafeasdadfa'
$SecretID = 'ddafdacadcadadc'
#Set env variable for vault address
$ENV:VAULT_ADDR = $Vault_Address
#Payload
$payload = @{
"role_id" = $RoleID
"secret_id" = $SecretID
}
#Get client token from approle login
$Client_Token = Invoke-RestMethod -Method Post -Uri $VAULT_LOGIN_APPROLE -body $payload -Headers @headers
#Set vault token environment variable
$ENV:VAULT_TOKEN = $Client_Token
#Header
$header = @{
'X-Vault-Token' = ${ENV:VAULT_TOKEN}
}
#Get the password from KV
$KV_Password = Invoke-RestMethod -Method Get -Uri $VAULT_KV_PATH -Headers $header
$KV_Password
I am getting the error:
Invoke-RestMethod : {"errors":["missing client token"]}
At line:19 char:16
+ ... ientToken = Invoke-RestMethod -Method Post -Uri $VAULT_LOGIN_APPROLE ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
The vault cli commands below is what I am trying to replicate using powershell api
$ENV:VAULT_ADDR = $vault_addr
$client_token = vault write --field=token auth/approle/logging/login role_id=$approle_id secret_id=$approle_secret
$ENV:VAULT_TOKEN = $client_token
$KV_Password = vault kv get -field=password kv/user
The error I am getting is because of the client token but I thought you would set the environment variable of the client token after you get it from approle login. Just like how it is done on vault CLI. So I am really stuck on this for hours. Any help would be much appreciated. Thanks.
Can you confirm your client token is being returned in this command?
I suspect it isn’t and you need to convert your $payload
variable to JSON. Try this instead:
$payload = @{
"role_id" = $RoleID
"secret_id" = $SecretID
} | ConvertTo-Json
@Linux-Pingu
Have you got this figured out? We’re trying to build scripts to be used in our CI/CD pipelines.
Isn’t it just a typo? Shouln’t it just be as simple as changing “${ENV:VAULT_TOKEN}”
…to either:
$header = @{
"X-Vault-Token" = "$($ENV:VAULT_TOKEN)"
}
…or
$header = @{
Authorization="Bearer $($ENV:VAULT_TOKEN)"
}