KV version 2 no handler for route 'secret/data/kv'

[thefossgeek]

I am getting hvac.exceptions.InvalidPath: no handler for route 'secret/data/kv' error while trying to read KV 2 via hvac.

does anyone run into the same problem?

hvac==0.9.2

vault 1.1.2

CentOS 7.6

cat /etc/vault.d/vault_main.hcl

cluster_name = "dc1"
max_lease_ttl = "768h"
default_lease_ttl = "768h"

disable_clustering = "False"
cluster_addr = "http://127.0.0.1:8201"
api_addr = "http://127.0.0.1:8200"

plugin_directory = "/usr/local/lib/vault/plugins"

listener "tcp" {
address = "127.0.0.1:8200"
cluster_address = "127.0.0.1:8201"
tls_disable = "true"
}

storage "file" {
path = "/var/vault"
}ui = true

#!/usr/bin/python

import hvac

client = hvac.Client(url='http://127.0.0.1:8200', token='')

print client.is_authenticated()

secret_version_response = client.secrets.kv.v2.read_secret_version(
path='kv',
)

True
Traceback (most recent call last):
File "./p1.py", line 10, in
path='kv',
File "/usr/lib/python2.7/site-packages/hvac/api/secrets_engines/kv_v2.py", line 85, in read_secret_version
params=params,
File "/usr/lib/python2.7/site-packages/hvac/adapters.py", line 90, in get
return self.request('get', url, **kwargs)
File "/usr/lib/python2.7/site-packages/hvac/adapters.py", line 272, in request
utils.raise_for_error(response.status_code, text, errors=errors)
File "/usr/lib/python2.7/site-packages/hvac/utils.py", line 36, in raise_for_error
raise exceptions.InvalidPath(message, errors=errors)
hvac.exceptions.InvalidPath: no handler for route 'secret/data/kv'

[drewmullen]

have you verified you definitely have a kvv2?

https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv#cli-command
vault secrets list -detailed

are you able to read the secret that exists there?
vault kv get secret/kv

typically that error is something you'd see if there is a path problem.

def read_test(client, path='doesntexist'):

    result = client.secrets.kv.v2.read_secret_version(path=path)
    print('read result = ', result['data']['data'])
    return result

  File "/Users/dmullen/Library/Python/2.7/lib/python/site-packages/hvac/utils.py", line 36, in raise_for_error
    raise exceptions.InvalidPath(message, errors=errors)
hvac.exceptions.InvalidPath: None

[thefossgeek]

result = client.secrets.kv.v2.read_secret_version(path=path)
print('read result = ', result['data']['data'])
return result

kv secret engine was mapped to path kv and I am able to get via CLI but fails via script.

\# vault secrets list -detailed

Here is the output: https://pastebin.com/xZyyzh6A

\# vault kv put kv/customer/acme name="ACME Inc." contact_email="jsmith@acme.com"
Key              Value
\---              -----
created_time     2019-06-11T18:50:35.80328234Z
deletion_time    n/a
destroyed        false
version          1

\# vault kv get kv/customer/acme
\====== Metadata ======
Key              Value
\---              -----
created_time     2019-06-11T18:50:35.80328234Z
deletion_time    n/a
destroyed        false
version          1

\======== Data ========
Key              Value
\---              -----
contact_email    jsmith@acme.com
name             ACME Inc.

\# cat get.py
\#!/usr/bin/python

import hvac

path = 'kv/customer/acme'

client = hvac.Client(url='http://192.xx.xx.xxx:8200', token='xxxxxxxxxxxxxxxxxxxxxxx')

print client.is_authenticated()

result = client.secrets.kv.v2.read_secret_version(path=path)

print('read result = ', result['data']['data'])

\# ./get.py
True
Traceback (most recent call last):
  File "./get.py", line 12, in <module>
    result = client.secrets.kv.v2.read_secret_version(path=path)
  File "/usr/lib/python2.7/site-packages/hvac/api/secrets_engines/kv_v2.py", line 85, in read_secret_version
    params=params,
  File "/usr/lib/python2.7/site-packages/hvac/adapters.py", line 90, in get
    return self.request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/hvac/adapters.py", line 272, in request
    utils.raise_for_error(response.status_code, text, errors=errors)
  File "/usr/lib/python2.7/site-packages/hvac/utils.py", line 36, in raise_for_error
    raise exceptions.InvalidPath(message, errors=errors)
hvac.exceptions.InvalidPath: no handler for route 'secret/data/kv/customer/acme'

[drewmullen]

your secret engine is named 'kv' not 'secret'. you can change the mount_point for any call hvac makes by setting:
mount_point='kv'

result = client.secrets.kv.v2.read_secret_version(mount_point='kv', path=<NAME OF YOUR SECRET>)

*edit didnt mean to close. however, please confirm this solved your problem so we can close

[thefossgeek]

oh thanks. It works!

[jeffwecan]

Re-opening this issue to keep track of @drewmullen's point (since implementing it in one form or another would hopefully prevent other folks from hitting the same roadblock 😄).

[drewmullen]

so should we change the default to kv instead of secret? I'm all for it.

hvac/hvac/api/secrets_engines/kv_v1.py

Line 7 in b2940d6

DEFAULT_MOUNT_POINT = 'secret'

hvac/hvac/api/secrets_engines/kv_v2.py

Line 7 in b2940d6

DEFAULT_MOUNT_POINT = 'secret'

[bredy0]

Hi,
ran into similar issue. My kv2 secret path is secret/test/approletest. When reading the key value with hvac I'm getting a unsupported path exception, because hvac is always prepending 'data' to the path.
From the audit log:
"path":"secret/data/test/approletest","remote_address":"x.x.x.x"},"response":{"data":{"error":"hmac-sha256:efcab35cd27bcf18a593f3af71ca1fe68ffd5c2fab7668c11bd22018b0ae73f0"}},"error":"1 error occurred:\n\t* unsupported path\n\n"}

Can you explain why do you insert "/data/" in the path for kv2 secrets? It's located in the function read_secret_version(), create_or_update_secret() and delete_latest_version_of_secret() in file the file https://github.com/hvac/hvac/blob/master/hvac/api/secrets_engines/kv_v2.py

Thanks for the explanation.

[edit] typo in path

[drewmullen]

info: the /data/ is a confusing part about vault itself, imo. basically, when you start using kv version2, they force inject a data/ and metadata/ immediately after your mount. the confusing part is that there are multiple parts to your 'secret path'

<namespace (if enterprise and using)>/<mount_point>/<"data" (IF kvv2 only)>/<path to your secret>

solution:
if youre using kvv2 (check this with vault secrets list --detailed)
path=test/approletest
mount_point=secret

[bredy0]

Hi thanks,

the solution was to set mount_point=secret/test and path=approletest

[malwar]

Below is a C# Console Application example to retrieve Secret From Key Vault:- 
class Program
{
    static async Task Main(string[] args)
    {
        var x = await GetSecretFromVault("http://127.0.0.1:8200");
        //Task.Delay(10000).Wait();
        Console.WriteLine("Returned Data: DB UserId - {0}, DB Password - {1}", x.Data.Data["dbuser"], x.Data.Data["dbpwd"]);
        Console.ReadLine();
    }

    private static async Task<Secret<SecretData>> GetSecretFromVault(string url)
    {
        if (string.IsNullOrEmpty(url.Trim())) return null;
        // Initialize one of the several auth methods.
        //Replace valutToken parameter value with your Token 
        IAuthMethodInfo authMethod = new TokenAuthMethodInfo("s.QzJVUOXD3DdLGo6bhcJeapRW");

        // Initialize settings. You can also set proxies, custom delegates etc. here.
        var vaultClientSettings = new VaultClientSettings(url, authMethod);

        IVaultClient vaultClient = new VaultClient(vaultClientSettings);

        // Use client to read a key-value secret.
        Secret<SecretData> kv2Secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync (path: "kv/mysecret", version: 2, mountPoint: "secret");
        return kv2Secret;
    }
}