VaultSharp AppRole Login Unwrapping problem

Question

I logged in via the CLI using my standard Token obtained from the UI. Then I ran this to get a wrapping token:

vault write auth/approle/login role_id="e309ea24-994c-771e-939f-49e24a936ef2" secret_id="9597c7d0-3a88-c8f7-e43f-e8999600e38e"

that call returned:

Key                     Value
---                     -----
token                   s.5NuuJxEfdiJrfSiXXCU5MjZ6.dYgGw
token_accessor          3JFGpuaO45DuxD9nd6mUL6ic.dYgGw
token_duration          1h
token_renewable         true
token_policies          ["default" "transaction"]
identity_policies       []
policies                ["default" "transaction"]
token_meta_role_name    transaction

Now, I used the token in an unwrapping call like this:

IVaultClient vaultClientForUnwrapping = new VaultClient(
    new VaultClientSettings(_settings.Address, new TokenAuthMethodInfo(vaultToken: wrappingToken))
);

string appRoleAuthSecretId
    = vaultClientForUnwrapping.V1.System
        .UnwrapWrappedResponseDataAsync<Dictionary<string, object>>(tokenId: null)
            .Result.Data["secret_id"]
                .ToString();

And when attempting to run the Unwrapping call above, I get this exception:

One or more errors occurred. ({"errors":["wrapping token is not valid or does not exist"]}

Can anyone help out here?

Answer 1

The call vault write auth/approle/login role_id="e309ea24-994c-771e-939f-49e24a936ef2" secret_id="9597c7d0-3a88-c8f7-e43f-e8999600e38e" is not returning a wrapped token, but instead a raw token.

Essentially, in order to get a wrapped token, you need to provide the -wrap-ttl flag.

#!/usr/bin/env bash
vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 &
VAULT_SERVER_PID=$!
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

vault auth enable approle
vault write auth/approle/role/test-role policies=default
ROLE_ID=$(vault read -format=json auth/approle/role/test-role/role-id | jq -r .data.role_id)
SECRET_ID=$(vault write -f -format=json auth/approle/role/test-role/secret-id | jq -r .data.secret_id)
VAULT_WRAP_TOKEN=$(vault write -wrap-ttl=1h -format=json auth/approle/login role_id=${ROLE_ID} secret_id=${SECRET_ID} | jq -r .wrap_info.token)

VAULT_TOKEN=${VAULT_WRAP_TOKEN} vault write -f sys/wrapping/unwrap

kill -9 ${VAULT_SERVER_PID}

This is a sample script that would provide an actual wrapped token, and the process for unwrapping it. You can add the -output-curl-string flag to any of the vault commands above to see what the API commands might be. I've used jq for the programmatic passing of IDs to the next commands, but you can omit the -format=json and trailing | jq -r ... if you wish to see the table-formatted responses from the vault binary.

The reason that most libraries that require Vault Tokens do the wrapping step is so that it can be certain that nothing except the end user of the token has ever seen the token. A wrapping token can only be used once, and so ensures that nothing else has unwrapped the token before being used.

However, in the case of VaultSharp, a casual glance suggests that you can pass the Role ID and Secret ID directly to the library and have it generate its own tokens on demand. You may wish to look into this instead.