How to get a secret from hashicorp vault with rust

Question

I want to get a secret, that already exists in vault with a specific path "passwords/admin"

[dependencies]
hashicorp_vault = "2.1.0"

use hashicorp_vault::Client;

fn main() {
    let client = Client::new("http://my_vault.server:8200", "xxxxxx.xxxxx.xxxxx.xxxxx").unwrap();

    match client.get_secret("passwords/admin") {
        Ok(secret) => {
            println!("{}", secret);
        },
        Err(e) => {
            println!("{}", e);
        },
    }

}

Get error: Error in vault response: Vault request failed: Response { url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("my_vault.server")), port: Some(8200), path: "/v1/secret/data/passwords/admin", query: None, fragment: None }, status: 404, headers: {"cache-control": "no-store", "content-type": "application/json", "date": "Mon, 26 Sep 2022 15:58:19 GMT", "content-length": "14"} }, error message: {"errors":[]} Could not read vault response.

The question is why it trying to get from /v1/secret/data/passwords/admin? Why "data"? And if i will add some new secret, fro example:

    match client.set_secret("sec01", "val01") {
        Ok(_) => {},
        Err(e) => println!("{}", e),
    }

It also will be available with data inside the path. How I can specify the full path to the secret? Thank you!

I am only experienced with the C++, Go, Python, Ruby, and JS bindings for Vault, but these are all similar enough to each other that Rust is also probably similar, and therefore we would need to see the full path to your secret. The KV V2 secrets engine API is generally of the form `/v1//data/`, the bindings follow this pattern, and note also that the KV stored in a secret should not be in the path. — Matthew Schuchard, Sep 26 '22 at 17:00
If I am trying to provide the full path like "/v1/secret/data/passwords/admin" - I got in error that it trying to get it from "/v1/secret/data/v1/secret/data/passwords/admin" :-( — Denis Salmanovich, Sep 26 '22 at 17:12

score 0 · Answer 1 · answered Sep 26 '22 at 18:43

0

The prefix data (and metadata) are used by the key/value store version 2.

Make sure you mount your secret engine with this command:

vault secrets enable --version 2 --path secret kv

answered Sep 26 '22 at 18:43

ixe013

9,559
3
46
77

With vault cli it works.... the question how I can do it with rust client... – Denis Salmanovich Sep 26 '22 at 19:56
Vault cli is different for each KV version. Please update your question with the command line that works. Try `vault kv get secret/passwords/admin` (unless `passwords` is your mount point?) – ixe013 Sep 26 '22 at 21:07
From command line it works in this way: `vault kv get secret/passwords` and it lists all the secrets in the secret/passwords so I can grep the secret from "admin" value. – Denis Salmanovich Sep 27 '22 at 05:59
You should not need to use `grep`, more like `vault kv get secret/passwords/admin`. Listing is not done with the `list` verb, not `get`. Please update your question with the *full* command line that works, as well as how you put the secret in Vault in the first place. There are some assumptions on how Vault should be used, and the library probably relies on them. – ixe013 Sep 27 '22 at 12:57

How to get a secret from hashicorp vault with rust

1 Answers1