Using VaultSharp with VaultAgent Proxy

[shinyobject88]

Is there a way to use VaultSharp pointed at Vault Agent where the Vault Agent is serving as a proxy? Basically, I want to do the following:

// Initialize settings to point to the vault proxy listener on that is running on the same machine
var vaultClientSettings = new VaultClientSettings("http://127.0.0.1:8100", null);

IVaultClient vaultClient = new VaultClient(vaultClientSettings);

Secret secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(mountPoint: "secret", path: "test");

The vault agent has already authenticated and gotten a token to connect to the vault. I have done something similar reading the token file and using the above code with the TokenAuth method pointed to the vault but would like to avoid that and have the Vault agent handle everything with regards to auth and renewals. Currently if I point to the Vault Agent listener, I get an error message of invalid token when trying to obtain the secret.

[rajanadar]

It's a very interesting use case @shinyobject88.

Can you please try the following steps?

1. In VaultSharp, Initialize vault client with a token Auth info object, and give a dummy string value for the vault token.
2. On your vault agent, set the force flag on the auto Auth setting. This will ensure that the vault agent ignores any vault token coming from your application and use it's own token.
3. Make a call from your code to this vault agent.

Let me know.

[shinyobject88]

Hey @rajanadar,

Thank you for the quick reply!

I tried the steps above and got the following exception when I tried to get the secret: System.ComponentModel.Win32Exception: 'The token supplied to the function is invalid'

I even tried it with the token that the agent got when it authenticated and the same error occurred when I pointed to the address in my listener stanza. I have the following configured for the vault agent config:

api_proxy {
use_auto_auth_token = "force"
}

listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}

[rajanadar]

Please send me the stack trace of the component exception.

Also, can you try using postman or fiddler and make the vault agent http call succeed? Same url, port, dummy or no token etc.

If that succeeds, then there is a problem with VaultSharp.
Else, there is a problem with the vault agent acting as a http proxy.

I'll have a look over the weekend.

[shinyobject88]

Here is the stack trace that I received from the call:

at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.Http.AuthenticationHelper.d__53.MoveNext()
at System.Net.Http.HttpConnectionPool.d__84.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at System.Net.Http.AuthenticationHelper.d__17.MoveNext()
at System.Net.Http.DiagnosticsHandler.d__8.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at System.Net.Http.RedirectHandler.d__4.MoveNext()
at System.Net.Http.HttpClient.<g__Core|83_0>d.MoveNext()
at VaultSharp.Core.Polymath.d__231.MoveNext() at VaultSharp.Core.Polymath.<MakeVaultApiRequest>d__211.MoveNext()
at VaultSharp.Core.Polymath.d__20`1.MoveNext()
at VaultSharp.V1.SecretsEngines.KeyValue.V2.KeyValueSecretsEngineV2Provider.d__4.MoveNext()
at Program.<

$>d__0.MoveNext() in C:\Projects\VSO\RetailVNext\retail-vnext-application-services\src\reference-application\POCAppRoles\Program.cs:line 19

I will try postman tomorrow with everything just to see if that works and will let you know. Once I have a result.

Thanks

[rajanadar]

Thanks @shinyobject88.

That error is normally related to ssl connections etc. and I don't see https in your url. Everything is http. So that's good.

Let's see what postman yields

[shinyobject88]

Morning @rajanadar,

I tested against the agent today with Postman both with the token as the Auth Bearer token and with no token. Both successfully called the vault agent proxy and pulled the secret from the vault without issues. Let me know and I can test any other scenario as well

Thanks

[rajanadar]

Ok that's good to know @shinyobject88 . That means, a http call definitely works via vault-agent into Vault.
This means, something in VaultSharp is messing it up. Either the library itself or the way the code is.

Can you please send me the Postman JSON of a working call, and the exact full VaultSharp code snippet?
I'll cross check and verify locally.

[shinyobject88]

I think I found the issue and it was my end. It was a proxy issue. It didn't like that I was hitting 127.0.0.1 for the vault agent. I switched to localhost to make sure I didn't hit the proxy and it worked like a charm. Sorry for all the confusion, didn't even think of it until now

[rajanadar]

Very cool. Glad that it works

[shinyobject88]

Thank you very much for your assistance!