vault read secrets with python

Question

I'm trying to read secrets from vault using python. Having some security issues:

I can confirm authentication is working

 client = hvac.Client(url=vault_url)
 client.auth.aws.iam_login(credentials.access_key, credentials.secret_key, credentials.token)

 print(client.is_authenticated())

but reading a secret is not working:

I tried:

response = client.secrets.kv.v2.read_secret_version( path='kv-v2/lambda-function')

and:

response = client.secrets.kv.v2.read_secret_version( path='lambda-function')

and:

secret = 'kv-v2/lambda-function'

mount_point, secret_path = secret.split('/', 1)
response = client.secrets.kv.v2.read_secret_version(
    mount_point=mount_point, path=secret_path)

all yield

[ERROR] Forbidden: 1 error occurred:
* permission denied

the following policy is in place:

path "kv-v2/lambda-function/*" {
    capabilities = ["read"]
}

but I've also tried:

path "kv-v2/data/lambda-function/*" {
    capabilities = ["read"]
}

the policy is linked to the auth:

vault write auth/aws/role/role... \
    auth_type=iam \
    bound_iam_principal_arn="arn:.."
    policies=lambda-function \
    ttl=5m

and in the Vault console I can read the secret like this:

vault kv get kv-v2/lambda-function

What am I doing wrong?

Answer 1

Okay, after a bit further experimentation it turns out that the correct policy is:

path "kv-v2/+/lambda-function*" {
    capabilities = ["read","list"]
}

and the correct hvac calls are:

   response = client.secrets.kv.v2.list_secrets(
                        mount_point='kv-v2', path='/')

   response = client.secrets.kv.v2.read_secret_version(
                 mount_point='kv-v2', path='/lambda-function')

All dandy now.