Cannot login to Vault - invalid role or secret ID
Hi,
I am using TeamCity and trying to create a connection to Hashicorp Vault.
My namespace for Vault is DevOps/Portfolio:
In vault:
My first question, is my namespace format in TeamCity correct?
I can login to the vault from the cli on the vault server:
With the same roleid and secretid, from TeamCity, I get:
Please sign in to leave a comment.
Hi ,
> My first question, is my namespace format in TeamCity correct?
Yes, please refer to the screenshot for the correct format.
For example, my current namespace is admin/test/sub, and the format in TeamCity should be the same: admin/test/sub.
I tested it with "read" and "list" permissions in my policy, and it works correctly on my side.
Based on the screenshot, it seems that you might be using the wrong role ID or secret ID. Please make sure that your AppRole is created in the same namespace you are using.
Hi, got this fixed. My next question is, on a remote parameter, I get:
However, I am confused on the query. I put:
secret/data/DTRACK_API_KEY!/key
Because the secret in vault looks like:
However, in Paths, I see:
Based on the screenshot, it seems that the connection does not have permission to access the secret. Please check the policy associated with your AppRole.
For more details about Vault queries, please refer to our official documentation: - https://www.jetbrains.com/help/teamcity/hashicorp-vault.html#Create+and+Set+Up+a+Parameter
• Vault Query: the path to the secret in the `path!/key` format. For example, the following string points the parameter to the "access_key" key of the "awscreds" secret stored in the KV2 engine: `secret/data/awscreds!/access_key`.
My policy is as follows:
path "secret/data/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
The vault query I am confused on. For a secret called DTRACK_API_KEY, the path would be:
secret/data/DTRACK_API_KEY!/
But where is access_key defined in Hashicorp vault?
Ok the policy error is resolved, the issue now is the query:
Error while fetching parameter: Failed to fetch data for path /secret/data/DTRACK_API_KEY!: Failed to fetch data for path 'secret/data/DTRACK_API_KEY!'
Hi Gurdip,
The error indicates that TeamCity cannot fetch the parameter due to an incorrect path format. In particular, the ! at the end of the path (secret/data/DTRACK_API_KEY!) seems to be the cause.
If you want to fetch the data, you should use the path secret/data/DTRACK_API_KEY!/accesskey.
Best Regards
Tom
Hi Gurdip,
Based on the screenshot, it appears that you are using the KV engine rather than the generic secrets engine.
Please ensure that the appropriate policy is added to grant access to the KV engine. In your case, the Vault query should be:
Ok thanks so should be:
kv/data/DTRACK_API_KEY!/a
Where a is the key name. I get 403 now, so I need to check my policy again…
Can you share the policy you tested with?
Hi Gurdip,
My test policy configuration:
path "kv/*" {
capabilities = ["read"]
}
Best Regards,
Tom
That fixed it, thanks!