Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynamoDB backend is failing to list secrets in the Generic Secret provider #2789

Closed
ebekker opened this issue Jun 1, 2017 · 2 comments
Closed

DynamoDB backend is failing to list secrets in the Generic Secret provider #2789

ebekker opened this issue Jun 1, 2017 · 2 comments
Milestone
0.7.3

Comments

@ebekker
Copy link
Contributor

ebekker commented Jun 1, 2017
edited
Loading

This is using Vault 0.7.2 on a Windows platform. I've tried running it in both single-node mode as well as HA-mode with 2 nodes using the DynamoDB storage backend. I'm using an account that has full permissions against the DynamoDB table instance that's being used for storage.

I can read and write secrets to the default Secret Provider mount at /secret, but if I try to list, I get an error (in the case of the CLI it returns no secrets found, but if I use the API directly, I see it's returning back an error).

For example, assuming I have written 2 secret entries named s1 and s2:

C:\test\local>vault read -address=http://127.0.0.1:8200 secret/s1
Key                     Value
---                     -----
refresh_interval        768h0m0s
foo1                    bar1


C:\test\local>vault read -address=http://127.0.0.1:8200 secret/s2
Key                     Value
---                     -----
refresh_interval        768h0m0s
foo2                    bar2
foobar2                 foobaz2

C:\test\local>vault list -address=http://127.0.0.1:8200 secret
No value found at secret/

If I use the HTTP API directly, when listing the secrets at /secret I get back this response:
Request:

GET http://127.0.0.1:8200/v1/secret?list=true HTTP/1.1
X-Vault-Token: xxxx
Host: 10.20.1.61:8200

Response:

HTTP/1.1 404 Not Found
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 01 Jun 2017 19:03:05 GMT
Content-Length: 14

{"errors":[]}

Just for comparison, I ran the same set of tests on Vault instances using Consul and S3 storage backends, and they worked as expected.
@ebekker
Copy link
Contributor Author

ebekker commented Jun 1, 2017

Also confirmed issue exists with latest, local build against master.

@ebekker
Copy link
Contributor Author

ebekker commented Jun 1, 2017

I think I found the culprit, in physical/dynamodb.go, in func recordPathForVaultKey:

func recordPathForVaultKey(key string) string {
	if strings.Contains(key, "/") {
		newPath := filepath.Dir(key)
		return newPath
	}
	return DynamoDBEmptyPath
}

As I mentioned, in my dev environment, I'm running Vault on Windows, and filepath.Dir sanitizes the path by replacing path segment separators as appropriate for the current platform. So even though the key path is not a true file system path (used for record identifier in DynamoDB), it still corrects the path for the current OS separator.

Other parts of the DynamoDB backend provider assume a / separator.

ebekker added a commit to zyborg/hc-vault that referenced this issue Jun 1, 2017
@ebekker
Fixes hashicorp#2789
3671861 
Corrects DynamoDB record path resolution when running Vault server on
Windows
@briankassouf briankassouf added this to the 0.7.3 milestone Jun 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.7.3
Development

No branches or pull requests
2 participants
@briankassouf @ebekker