VaultSharp icon indicating copy to clipboard operation
VaultSharp copied to clipboard

Published 20 hours ago verified publisher icon rajanadar

Support Metadata LIST

Open FinHorsley opened this issue 2 years ago • 3 comments

Describe the feature request or question Support for listing all keys at mount-path.

e.g.

curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/secret/metadata/my-secret

Link to the Vault API Docs that support this feature https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#list-secrets

Additional context N/A

FinHorsley avatar Nov 15 '23 11:11 FinHorsley

Hey @FinHorsley,

public async Task<Secret<ListInfo>> ReadSecretPathsAsync(string path, string mountPoint = null, string wrapTimeToLive = null)

Here is a link to it's usage and documentation: https://github.com/rajanadar/VaultSharp#list-secrets

Hey there is this method already available, can you validate if this works?

Thanks, @konidev20

konidev20 avatar Nov 19 '23 07:11 konidev20

@konidev20 Ah, sorry i sent the wrong request 🤦‍♂️

I meant to use the following, to get a list of all keys at the mountPath (rather than just all keys for a given secret path, within a mountPath)

curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/kv-clients/metadata

which gives a response of

{"request_id":"6a7fb8b6-ce32-86cc-5075-16c3403418c4","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["client:x","client:y","client:q","client:z"]},"wrap_info":null,"warnings":null,"auth":null}

However, I can't do the same with VaultSharp as ReadSecretPathsAsync requires the path and mountPath. I tried passing null (and string.Empty), see below, but that errored with a Vault exception

await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(
    null, 👈 // causes Vault exception
    mountPoint: "kv-clients");

Got it working with the following, but I'm not sure if this is abusing the VaultSharp methods?

await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(
    "/",  👈 // returns all keys in mountPath "kv-clients"
    mountPoint: "kv-clients");

FinHorsley avatar Nov 22 '23 14:11 FinHorsley

However, I can't do the same with VaultSharp as ReadSecretPathsAsync requires the path and mountPath. I tried passing null (and string.Empty), see below, but that errored with a Vault exception

You're right, this is because we have an Checker.NotNull("path"), in the KeyValueSecretsEngineV2Provider.

Got it working with the following, but I'm not sure if this is abusing the VaultSharp methods?

The code snippet you provided would certainly work. And IMO is not a misuse.

I think we can do without the Checker.NotNull("path"). I will raise a PR with that change. According to the API reference, it must be allowed.

[Edit] Vault documentation shows that the path values is <required>.

path (string: ) – Specifies the path of the secrets to list. This is specified as part of the URL.

I would recommend you to continue the second method you have shown above.

[/Edit]

konidev20 avatar Nov 22 '23 18:11 konidev20