CLI example for encrypting secrets using azure keyvault

Question

CLI example for encrypting secrets using azure keyvault

ncthbrt opened this issue 5 years ago · 6 comments

I've been struggling to encrypt secrets using Kamus and Azure Keyvault.
The main barrier I've been running into is what value --auth-resource must be and how to obtain it.

Answer 1 · 2019-10-23T12:05:43.000Z

Can you please share more information about the issue? Do you have an issue installing Kamus or encrypting?

Answer 2 · 2019-10-23T12:11:38.000Z

I have been able to setup Kamus on our AKS Cluster, however I'm struggling to encrypt keys.

Answer 3 · 2019-10-23T12:14:41.000Z

This is the following steps I've performed:

Retrieved the pod name using kubectl:

export POD_NAME=$(kubectl get pods --namespace default -l "app=kamus,release=kamus,component=encryptor" -o jsonpath="{.items[0].metadata.name}")

Started Port forwarding

kubectl port-forward $POD_NAME 8080:9999

Attempted encryption:

npx @soluto-asurion/kamus-cli encrypt \
    -s "Super Secret" \
    -a $k8sServiceAccount \
    -u http://localhost:8080 \
    --allow-insecure-url --auth-application $kamusAppId \
    --auth-tenant $activeDirectoryTenantId \
    --auth-resource ??? \
    --namespace "default"

The current auth-resource I've been using is for the keyvault api, however after successfully signing in, I get the following error:
[error kamus-cli]: Error while trying to encrypt with kamus: Encrypt request failed due to unexpected error. Status code: 500
The encryption pod logged the following error:

{
	"Timestamp": "2019-10-23T12:19:57.2384103+00:00",
	"Level": "Error",
	"MessageTemplate": "Unhandled exception while processing request",
	"Exception": "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'\n   at Microsoft.Azure.KeyVault.KeyVaultClient.GetKeyWithHttpMessagesAsync(String vaultBaseUrl, String keyName, String keyVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)\n   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetKeyAsync(IKeyVaultClient operations, String keyIdentifier, CancellationToken cancellationToken)\n   at Kamus.KeyManagement.AzureKeyVaultKeyManagement.Encrypt(String data, String serviceAccountId, Boolean createKeyIfMissing) in /app/key-managment/AzureKeyVaultKeyManagement.cs:line 61\n   at Kamus.KeyManagement.EnvelopeEncryptionDecorator.Encrypt(String data, String serviceAccountId, Boolean createKeyIfMissing) in /app/key-managment/EnvelopeEncryptionDecorator.cs:line 25\n   at Kamus.Controllers.EncryptController.Encrypt(EncryptRequest body) in /app/encrypt-api/Controllers/EncryptController.cs:line 45\n   at lambda_method(Closure , Object )\n   at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()\n   at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n   at System.Threading.Tasks.ValueTask`1.get_Result()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()\n   at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)\n   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)\n   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)\n   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)\n   at Kamus.ErrorHandlingMiddleware.Invoke(HttpContext httpContext) in /app/encrypt-api/ErrorHandlingMiddleware.cs:line 25",
	"Properties": {
		"SourceContext": "Kamus.ErrorHandlingMiddleware"
	}
}

Presumably that is because I'm authorizing the incorrect resource

Answer 4 · 2019-10-23T12:38:37.000Z

Hey, sorry for the confusion. The --auth-tenant and --auth-resource are required only if you use AD authentication to protect Kamus encryptor. You can ignore them. The real issue is this:

Operation returned an invalid status code 'Forbidden'

Did you created correctly the service principal for Kamus, with the right permissions?

Answer 5 · 2019-10-23T12:51:43.000Z

Ah that makes sense. I will recheck those service principal settings and try set up kamus again.

Answer 6 · 2019-10-23T16:28:07.000Z

Thanks for the help. Got it encrypting!