I understand that you can push custom secret-ids to the app role via the API, however, we have a CICD app role that is supposed to have the capabilities to do this for my app roles, here’s my policy:
# Grant permissions on the 'auth/approle/role/+/secret-id' path
path "auth/approle/role/+/secret-id" {
capabilities = [ "create", "update" ]
}
# Grant permission on the 'auth/approle/role/+/custom-secret-id' path
path "auth/approle/role/+/custom-secret-id" {
capabilities = [ "create", "update" ]
}
Using the CLI works
vault write -f auth/approle/role/<MyAppRole>/custom-secret-id secret_id=<new-secret-id>
but I’m having issues with my Powershell script.
$approle is passed in to the function
try
{
$uri = "$($env:VAULT_ADDR)" + "/v1/auth/approle/role/$($approle)/custom-secret-id"
$header = @{
"X-Vault-Token"="$($env:VAULT_TOKEN)"
}
$GUID = [guid]::NewGuid()
$payload =
@{
"secret_id"="$($GUID)"
"ttl"=0
} | ConvertTo-Json
Write-Host "Sending Custom Secret-ID"
$response = Invoke-RestMethod -Headers $header -ContentType 'application/json' -Method POST -Uri $uri -Body $payload
#***************************************************************
# Here, I'll be pushing the new secret-id to another PS script
# so that it can be set in the environment variables on the
# server that our software is being deployed to.
#***************************************************************
}
catch [System.Net.WebException]
{
$msg = $_.Exception.Message + ": in PushCustomSecretID: $($response)"
$status = $_.Exception.Status
$hr = "{0:x8}" -f ($_.Exception.HResult)
$innerException = $_.Exception.InnerException
$h = $header | ConvertTo-Json
#Just issue a warning about being unable to send the notification...
Write-Warning("`n`t[$status] `n`t[0x$hr] `n`t[$msg] `n`t[$innerException]`n`n[URI] $uri`n`t[Header] $h`n`t[Payload] $payload")
return $False
}
I’m getting a 403 Forbidden error for some reason.
Any ideas on what is causing this?