secrets-manager
secrets-manager copied to clipboard
Keeper-Security
Ansible `keeper_get` throwing Exception: Cannot get record: Incorrect padding
When running keeper_get I'm getting an error:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Cannot get record: Incorrect padding
fatal: [edge_arm]: FAILED! => {"msg": "Unexpected failure during module execution: Cannot get record: Incorrect padding", "stdout": ""}
System Info:
ansible-playbook [core 2.17.3]
python version = 3.12.5 (main, Aug 13 2024, 01:30:38) [GCC 12.2.0] (/usr/local/bin/python)
jinja version = 3.1.4
libyaml = True
keeper module version: 1.2.4
OS: linux
i've also tried on on pythons version 3.10 and 3.11 with the exact same error
Example setup:
- name: 'Example'
keeper_get:
uid: "XXXXXXXXXXX"
field: note
register: secret
tags:
- pull_secrets
Error stack trace
2024-10-08 13:24:14,883 | ksm | DEBUG | Public key id NN does not exists, set to default : 10
2024-10-08 13:24:14,883 | ksm | DEBUG | Already bound
2024-10-08 13:24:14,884 | ksm | DEBUG | Keeper hostname keepersecurity.eu
Keeper Secrets Manager is not using a DR file cache.
Loading keeper config from Ansible vars.
The full traceback is:
Traceback (most recent call last):
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 416, in get_records_from_vault
records = self.client.get_secrets(uids)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 821, in get_secrets
return self.get_secrets_with_options(query_options, full_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 829, in get_secrets_with_options
records_resp = self.fetch_and_decrypt_secrets(query_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 722, in fetch_and_decrypt_secrets
decrypted_response_bytes = self._post_query(
^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 550, in _post_query
encrypted_payload_and_signature = self.encrypt_and_sign_payload(self.config, transmission_key, payload)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 308, in encrypt_and_sign_payload
pk = CryptoUtils.der_base64_private_key_to_private_key(private_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/crypto.py", line 250, in der_base64_private_key_to_private_key
private_key_der_base64 = utils.base64_to_bytes(private_key_der_base64)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/utils.py", line 80, in base64_to_bytes
return base64.urlsafe_b64decode(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/base64.py", line 134, in urlsafe_b64decode
return b64decode(s)
^^^^^^^^^^^^
File "/usr/local/lib/python3.12/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Incorrect padding
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.12/site-packages/ansible/executor/task_executor.py", line 164, in run
res = self._execute()
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/ansible/executor/task_executor.py", line 636, in _execute
result = self._handler.run(task_vars=vars_copy)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/plugins/action_plugins/keeper_get.py", line 175, in run
value = keeper.get_value(uid=uid, title=title, field_type=field_type_enum, key=field_key,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 527, in get_value
record = self.get_record(uids=uid, titles=title, cache=cache)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 464, in get_record
records = self.get_records(cache=cache, uids=uids, titles=titles)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 456, in get_records
records = self.get_records_from_vault(uids=uids, titles=titles, encrypt=encrypt)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 418, in get_records_from_vault
raise Exception("Cannot get record: {}".format(err))
Exception: Cannot get record: Incorrect padding
fatal: [edge158]: FAILED! => {
"msg": "Unexpected failure during module execution: Cannot get record: Incorrect padding",
"stdout": ""
}
The full traceback is:
Traceback (most recent call last):
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 416, in get_records_from_vault
records = self.client.get_secrets(uids)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 821, in get_secrets
return self.get_secrets_with_options(query_options, full_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 829, in get_secrets_with_options
records_resp = self.fetch_and_decrypt_secrets(query_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 722, in fetch_and_decrypt_secrets
decrypted_response_bytes = self._post_query(
^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 550, in _post_query
encrypted_payload_and_signature = self.encrypt_and_sign_payload(self.config, transmission_key, payload)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/core.py", line 308, in encrypt_and_sign_payload
pk = CryptoUtils.der_base64_private_key_to_private_key(private_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/crypto.py", line 250, in der_base64_private_key_to_private_key
private_key_der_base64 = utils.base64_to_bytes(private_key_der_base64)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_core/utils.py", line 80, in base64_to_bytes
return base64.urlsafe_b64decode(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/base64.py", line 134, in urlsafe_b64decode
return b64decode(s)
^^^^^^^^^^^^
File "/usr/local/lib/python3.12/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Incorrect padding
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.12/site-packages/ansible/executor/task_executor.py", line 164, in run
res = self._execute()
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/ansible/executor/task_executor.py", line 636, in _execute
result = self._handler.run(task_vars=vars_copy)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/plugins/action_plugins/keeper_get.py", line 175, in run
value = keeper.get_value(uid=uid, title=title, field_type=field_type_enum, key=field_key,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 527, in get_value
record = self.get_record(uids=uid, titles=title, cache=cache)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 464, in get_record
records = self.get_records(cache=cache, uids=uids, titles=titles)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 456, in get_records
records = self.get_records_from_vault(uids=uids, titles=titles, encrypt=encrypt)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/keeper_secrets_manager_ansible/__init__.py", line 418, in get_records_from_vault
raise Exception("Cannot get record: {}".format(err))
Exception: Cannot get record: Incorrect padding
fatal: [edge159]: FAILED! => {
"msg": "Unexpected failure during module execution: Cannot get record: Incorrect padding",
"stdout": ""
}
Seems to be due to a config error on credentials, however it might be nice to add some validation on credentials and possibly a better message on what the problem is
@Spazzy757 Thank you for your feedback.
This is related to incorrect config and goes down to Python SDK. While we expect correct config to be passed, we filled KSM-650 ticket to add better error messaging if such error occurs.
