Unable to fetch secrets from Vault

[Kalyan-D]

Hello jcustenborder ,

I have configured my confluent worker with following properties:

config.providers.vault.param.vault.token=************************
config.providers.vault.class=com.github.jcustenborder.kafka.config.vault.VaultConfigProvider
config.providers.vault.param.vault.address=http://********:8200
config.providers=vault
config.providers.vault.param.vault.login.by=Token

and started the worker in distributed mode

I have configured my source connection with the following configs

{
"name": "inventory-connector",
"config": {
"connector.class": "io.debezium.connector.mysql.MySqlConnector",
"tasks.max": "1",
"database.hostname": "*******",
"database.port": "3306",
"database.user": "${vault:confluent/secrets:mysqluser}",
"database.password": "${vault:confluent/secrets:mysqlpass}",
"database.server.id": "184055",
"database.server.name": "dbserver2",
"database.include.list": "inventory",
"database.history.kafka.bootstrap.servers": "localhost:9092",
"database.history.kafka.topic": "schema_changes.inventory"
}
}

In the Hashicorp vault, I have stored the secrets in the following path
confluent/secret

But while running source connector with rest call I'm getting the following error
{"error_code":500,"message":"Vault path 'confluent/secrets' was not found"}

We have tired other way also still we are getting error

{"error_code":500,"message":"Vault path 'secret/confluent/secrets' was not found"}

[jcustenborder]

That message is coming directly from vault. The library is just bubbling it up. You most likely don't have a secret at that path or have a permissions issue. You need to verify that using the token you've configured you can read that secret.

Make sure that this command works with the token in your config.

On your side make sure that you can run and that returns a secret containing mysqluser and mysqlpass

vault kv get secret/confluent/secrets

For example I have secret/application/example/development in my instance. When I run the following command with the proper token I get the following output.

vault kv get secret/application/example/development

====== Metadata ======
Key              Value
---              -----
created_time     2021-01-30T01:43:13.088708822Z
deletion_time    n/a
destroyed        false
version          3

========== Data ==========
Key                 Value
---                 -----
bootstrap.server    worker-01:30000,worker-02:30000,worker-03:30000
kafka.properties    ssl.endpoint.identification.algorithm=https
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="test" password="test123";
test                asdfasdf

Then I can use this in my config.

${vault:secret/application/example/development:bootstrap.server}  

[Kalyan-D]

I have tried using CURL command, its working fine PFB snap [image: image.png] Thanks

…

On Wed, 21 Jul 2021 at 22:14, Jeremy Custenborder ***@***.***> wrote: That message is coming directly from vault. The library is just bubbling it up. You most likely don't have a secret at that path or have a permissions issue. You need to verify that using the token you've configured you can read that secret. Make sure that this command works *with the token in your config.* On your side make sure that you can run and that returns a secret containing mysqluser and mysqlpass vault kv get secret/confluent/secrets For example I have secret/application/example/development in my instance. When I run the following command with the proper token I get the following output. vault kv get secret/application/example/development ====== Metadata ====== Key Value --- ----- created_time 2021-01-30T01:43:13.088708822Z deletion_time n/a destroyed false version 3 ========== Data ========== Key Value --- ----- bootstrap.server worker-01:30000,worker-02:30000,worker-03:30000 kafka.properties ssl.endpoint.identification.algorithm=https security.protocol=SASL_PLAINTEXT sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="test" password="test123"; test asdfasdf Then I can use this in my config. ${vault:secret/application/example/development:bootstrap.server} — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF3TD3CDSOKQWKFTH7ZNMZLTY32PVANCNFSM5AYKATXQ> .

[jcustenborder]

None of your images are coming though. Please give the above example a try with vault cli with the token you specified in the config

[Kalyan-D]

*command used : *curl -H "X-Vault-Token: **********************" -X GET http://***********.com:8200/v1/confluent/secrets *Response received:* {"request_id":"e4ed35cd-2098-7859-09f7-befe5857820a","lease_id":"","renewable":false,"lease_duration":36000,"data":{"mysqlpass":"dbz","mysqluser":"debezium"},"wrap_info":null,"warnings":null,"auth":null}

…

On Wed, 21 Jul 2021 at 22:28, Jeremy Custenborder ***@***.***> wrote: None of your images are coming though. Please give the above example a try with vault cli with the token you specified in the config — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF3TD3EC4RX4VSQZL2AZPPLTY34BZANCNFSM5AYKATXQ> .

[Kalyan-D]

From the command line, we are able to fetch secrets $* vault kv get confluent/secrets* ====== Data ====== Key Value --- ----- mysqlpass dbz mysqluser debezium Thanks & Regards

…

On Wed, 21 Jul 2021 at 22:44, Kalyan D ***@***.***> wrote: When i tried from vault cli using * vault read confluent* We are able to fetch secrets e I crets On Wed, 21 Jul 2021 at 22:36, Kalyan D ***@***.***> wrote: > *command used : *curl -H "X-Vault-Token: **********************" -X GET > http://***********.com:8200/v1/confluent/secrets > > *Response received:* > > {"request_id":"e4ed35cd-2098-7859-09f7-befe5857820a","lease_id":"","renewable":false,"lease_duration":36000,"data":{"mysqlpass":"dbz","mysqluser":"debezium"},"wrap_info":null,"warnings":null,"auth":null} > > On Wed, 21 Jul 2021 at 22:28, Jeremy Custenborder < > ***@***.***> wrote: > >> None of your images are coming though. Please give the above example a >> try with vault cli with the token you specified in the config >> >> — >> You are receiving this because you authored the thread. >> Reply to this email directly, view it on GitHub >> <#4 (comment)>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AF3TD3EC4RX4VSQZL2AZPPLTY34BZANCNFSM5AYKATXQ> >> . >> >

[Kalyan-D]

@jcustenborder

Any update on this issue ?

[Kalyan-D]

@jcustenborder Could you please look into this issue asap

[Kalyan-D]

Hi @jcustenborder
Did you get a chance to look into this?

[WilsonSunBritten]

I am now encountering this issue myself. I hope to test more tomorrow but to me it looks like a vault engine 1 vs 2 issue. The newest release of https://github.com/BetterCloud/vault-java-driver that this project uses defaults to vault engine 2, while the vault path you provided looks like an engine v1 path. I have to do some more testing but it looks like either a config for a secret path map can be included, or a global engine version flag can be included(This repo needs to update to provide those config options, but BettterCloud does have them).

[AviMualem]

im having the exact same situation. getting vault path not found, for secrets i can get manually by same path.
curl works for me for the same path.