Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to retrieve secret using ReadSecretAsync after upgrade #341

Closed
trmartin4 opened this issue Jan 19, 2024 · 1 comment
Closed

Unable to retrieve secret using ReadSecretAsync after upgrade #341

trmartin4 opened this issue Jan 19, 2024 · 1 comment
Assignees
@rajanadar
Milestone
1.17.5

Comments

@trmartin4
Copy link

trmartin4 commented Jan 19, 2024
edited
Loading

Describe the bug
We do not receive the expected secret value when attempting to read after updating from 1.7.0 to 1.13.0.1.

VaultSharp Version
1.13.0.1

Vault Version
1.15.4-1

Does this work with Vault CLI?
Yes

Sample Code Snippet

var authMethod = new TokenAuthMethodInfo(_settings.Certificate.VaultToken);
var vaultClientSettings = new VaultClientSettings(_settings.Certificate.VaultServerUri, authMethod);
var vaultClient = new VaultClient(vaultClientSettings);

var mountPoint = string.IsNullOrWhiteSpace(_settings.Certificate.VaultSecretMountPoint) ?
    null : _settings.Certificate.VaultSecretMountPoint;
var secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(
    path: _settings.Certificate.VaultSecretPath,
    mountPoint: mountPoint);

if (secret?.Data?.Data?.ContainsKey(_settings.Certificate.VaultSecretDataKey) ?? false)
{
    var certData = secret.Data.Data[_settings.Certificate.VaultSecretDataKey] as string;
    return new X509Certificate2(Convert.FromBase64String(certData),
        _settings.Certificate.VaultSecretFilePassword);
}
else
{
    _logger.LogError("No secret found in Hashicorp Vault with key {key}", _settings.Certificate.VaultSecretDataKey);
}

Exception Details/Stack Trace/Error Message
System.ArgumentNullException: Value cannot be null. (Parameter 's')
at System.Convert.FromBase64String(String s)
at Bit.KeyConnector.Services.HashicorpVaultCertificateProviderService.GetCertificateAsync() in /home/runner/work/key-connector/key-connector/src/KeyConnector/Services/HashicorpVaultCertificateProviderService.cs:line 33

Any additional info
When we upgrade from 1.7.0 to 1.13.0.1, the data that is returned in the secret.Data.Data[key] element can no longer be parsed as a valid base64-encoded string. This appears to be because the contents are not being successfully retrieved from the call to ReadSecretAsync. See below.

Running from 1.7.0, the data property of the JSON response when calling ReadSecretAsync is "data":{"data":{"file":"<snip>"}, where <snip> replaces the contents of the encoded string value.

Running from 1.13.0.1, the data property of the JSON response when calling ReadSecretAsync is "data":{"data":{"file":{"ValueKind":3}}.

I have checked the version update notes and do not see any breaking changes that could have caused this change in behavior, and we are not sure what request changes we might need to make to retrieve the key value correctly on the latest version.
@rajanadar rajanadar self-assigned this Sep 8, 2024
@rajanadar rajanadar added this to the 1.17.5 milestone Sep 8, 2024
@rajanadar
Copy link
Owner

@trmartin4 this is not reproing for me. Can you confirm by writing a new secret with encoded data and retrieving it in both versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rajanadar rajanadar

Labels
None yet
Projects
None yet
Milestone
1.17.5
Development

No branches or pull requests
2 participants
@rajanadar @trmartin4