HashiCorp Vault Python hvac read

Question

I would like to read my secret from a pod with python.

I try with this:

import os
import hvac
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
jwt = f.read()
client = hvac.Client()
client = hvac.Client(url='https://vault.mydomain.internal')
client.auth_kubernetes("default", jwt)
print(client.read('secret/pippo/pluto'))

I'm sure that secret/pippo/pluto exists.

I'm sure that I'm properly authenticated

But I always receive "None" in answer to my print.

Where can I look to solve this ?

Thx a lot

Answer 1

If you read KV value from Vault, you need the Mount Point and the Path. Example:

            vault_client.secrets.kv.v1.read_secret(
                path=path,
                mount_point=mount_point
            )

Answer 2

i've tried the method you provided in my k8s Python3 pod, i can get Vault secret data successfully.

You need to specify the correct vault token parameter in your hvac.Client and disable client.auth_kubernetes method.

Give it a shot and remember your code should run in k8s Python container instead of your host machine.

import hvac

f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
jwt = f.read()
print("jwt:", jwt)
f.close()
client = hvac.Client(url='http://vault:8200', token='your_vault_token')
# res = client.auth_kubernetes("envelope-creator", jwt)
res = client.is_authenticated()
print("res:", res)
hvac_secrets_data_k8s = client.read('secret/data/compliance')
print("hvac_secrets_data_k8s:", hvac_secrets_data_k8s)

Below is the result:

92:qfedu shawn$ docker exec -it 202a119367a4 bash
airflow@airflow-858d8c6fcf-bgmwn:~$ ls
airflow-webserver.pid  airflow.cfg  config  dags  logs  test_valut_in_webserver.py  unittests.cfg  webserver_config.py
airflow@airflow-858d8c6fcf-bgmwn:~$ python test_valut_in_webserver.py
jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia
res: True
hvac_secrets_data_k8s: {'request_id': '80caf0cb-8c12-12d2-6517-530eecebd1e0', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'s3AccessKey': 'XXXX', 's3AccessKeyId': 'XXXX', 'sftpPassword': 'XXXX', 'sftpUser': 'XXXX'}, 'metadata': {'created_time': '2020-02-07T14:04:26.7986128Z', 'deletion_time': '', 'destroyed': False, 'version': 4}}, 'wrap_info': None, 'warnings': None, 'auth': None}

Answer 3

I found it easier to use hvac for authentication, and then use the API directly

Can skip this and use root/dev token for testing

import hvac as h
client = h.Client(url='https://<vault url>:8200/')
username = input("username")
import getpass
password = getpass.getpass()
print(client.token)
del username,password

Get the list of mounts

import requests,json

vault_url = 'https://<vault url>:8200/'
vault_token = '<vault token>'

headers = {
    'X-Vault-Token': vault_token
}

response = requests.get(vault_url+'v1/sys/mounts', headers=headers)
json.loads(response.text).keys() #The ones ending with / is your mount name

Then get the password (have to create one fist)

mount = '<mount name>'
secret = '<secret name>'
response = requests.get(vault_url+'v1/'+mount+'/'+secret, headers=headers)
response.text

For the username/password to get access to password created by root, you have to add path in the JSON under Policies.

Answer 4

As @shawn mentioned above, below commands work for me as well

import hvac
vault_url = 'https://<vault url>:8200/'
vault_token = '<vault token>'
ca_path = '/run/secrets/kubernetes.io/serviceaccount/ca.crt'  
secret_path = '<secret path in vault>'

client = hvac.Client(url=vault_url,token=vault_token,verify= ca_path)
client.is_authenticated()

read_secret_result = client.read(secret_path)
print(read_secret_result)
print(read_secret_result['data']['username'])
print(read_secret_result['data']['password'])

Note: ca_path is where the pod stores k8s CA and usually it should be found under "/run/secrets/kubernetes.io/serviceaccount/ca.crt"