【问题标题】:vault read secrets with pythonVault 使用 python 读取机密
【发布时间】:2021-10-24 16:22:46
【问题描述】:

我正在尝试使用 python 从保险库中读取秘密。存在一些安全问题:

我可以确认身份验证正在工作

 client = hvac.Client(url=vault_url)
 client.auth.aws.iam_login(credentials.access_key, credentials.secret_key, credentials.token)

 print(client.is_authenticated())

但读取秘密不起作用:

我试过了:

response = client.secrets.kv.v2.read_secret_version( path='kv-v2/lambda-function')

和:

response = client.secrets.kv.v2.read_secret_version( path='lambda-function')

和:

secret = 'kv-v2/lambda-function'

mount_point, secret_path = secret.split('/', 1)
response = client.secrets.kv.v2.read_secret_version(
    mount_point=mount_point, path=secret_path)

全部收益

[ERROR] Forbidden: 1 error occurred:
* permission denied

制定了以下政策:

path "kv-v2/lambda-function/*" {
    capabilities = ["read"]
}

但我也试过:

path "kv-v2/data/lambda-function/*" {
    capabilities = ["read"]
}

政策与授权相关联:

vault write auth/aws/role/role... \
    auth_type=iam \
    bound_iam_principal_arn="arn:.."
    policies=lambda-function \
    ttl=5m

在 Vault 控制台中,我可以像这样读取秘密:

vault kv get kv-v2/lambda-function

我做错了什么?

【问题讨论】:

    标签: python-3.x aws-lambda hashicorp-vault


    【解决方案1】:

    好的,经过进一步的实验,结果证明正确的策略是:

    path "kv-v2/+/lambda-function*" {
        capabilities = ["read","list"]
    }
    

    正确的暖通空调调用是:

       response = client.secrets.kv.v2.list_secrets(
                            mount_point='kv-v2', path='/')
    
       response = client.secrets.kv.v2.read_secret_version(
                     mount_point='kv-v2', path='/lambda-function')
    

    现在都是花花公子。

    【讨论】:

      猜你喜欢
      • 2020-11-04
      • 2022-08-23
      • 1970-01-01
      • 2022-07-27
      • 1970-01-01
      • 1970-01-01
      • 2019-07-28
      • 1970-01-01
      • 2020-04-26
      相关资源
      最近更新 更多