CODEWITHSUNDEEP
hashicorp-vaultvaultvaultsharp
PostureOfLearning
PostureOfLearning

Reputation: 3541

Hashicorp Vault Kerberos Auth with VaultSharp

I'm having great difficulty getting Kerberos Auth working with Vault using VaultSharp.

I don't have control over Vault server but I've been informed that it is configured and ready to use.

I'm using .NET running in IIS and I want to make use of the service account that IIS is running under so that I don't need to store additional secrets or user/passwords.

Here is the code I'm using and the error:

public string GetSecretWithKerberosAuthUsingVaultSharp(string keyName, string vaultBaseAddress, string vaultResourcePath, string mountPoint)
{
    IAuthMethodInfo authMethod = new KerberosAuthMethodInfo(); // uses network credential by default.
    var vaultClientSettings = new VaultClientSettings(vaultBaseAddress, authMethod);
    IVaultClient vaultClient = new VaultClient(vaultClientSettings);

    var result = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(vaultResourcePath, mountPoint: mountPoint).Result;
    //Above line gives this error message:
    //{"request_id":"a85dfbb3-b283-3513-7cd3-01ad757eed1b","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Unauthorised.\n\n"],"auth":null}

    var resultData = result.Data;
    string secret = resultData.Data[keyName].ToString();

    return secret;
}

I have managed to get it working using token auth as well as through the CLI but that is not quite what I want.

authMethod.Credentials.UserName/Domain both are empty strings. Don't know if they are supposed to be populated in this case or not but documentation states that it "uses network credentials by default"

Any help appreciated.

Upvotes: 0

Views: 977

Answers (1)

Raja Nadar
Raja Nadar

Reputation: 9499

Is your web application running in integrated Windows Auth mode, with anonymous auth disabled?

If no, please make it work in that mode for your web app to have the Windows Integrated Auth context so that web calls from VaultSharp to Vault API can have the security context.

If yes, then can you please try a couple of things?

var kerberosAuthInfo = new KerberosAuthMethodInfo(CredentialCache.DefaultCredentials);

If the above doesn't work, then can you try explicit credentials.

var kerberosAuthInfo = new KerberosAuthMethodInfo(new NetworkCredential(userName, password, domain));

Ideally, the web app context should carry the integrated windows context so that you don't need to provide explicit credentials, but it might be worth trying to ensure that it works first and then we can backtrack as to why the context is not being passed.

Upvotes: 0

Related Questions