node-vault icon indicating copy to clipboard operation
node-vault copied to clipboard
verified publisher icon nodevault

vault keeps getting 404

Open leeadh opened this issue 5 years ago • 4 comments

Hi have this sample config

var options = {
    apiVersion: 'v1', // default
    endpoint: 'http://ssss:8200', // default
    token: 's.ssssssss' // optional client token; can be fetched after valid initialization of the server
};
  
// get new instance of the client
var vault = require("node-vault")(options);

vault.read('kv/mongodb-secret').then((res) => {
    console.log(res);

});

but it keeps hitting 404. I tested on CLI and I am able to do a vault get KV

(node:65829) UnhandledPromiseRejectionWarning: Error: Status 404
    at handleVaultResponse (/Users/adrianlee/node_modules/node-vault/src/index.js:49:21)
    at process._tickCallback (internal/process/next_tick.js:68:7)
(node:65829) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)
(node:65829) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

I also get a no handler for node route when I do the below

var vault = require("node-vault")(options);

vault.write('secret/hello', { value: 'world' })
    .then((res) => console.log("result:",res.data.value))
    .catch((err) => console.error("error:",err));

leeadh avatar Mar 11 '20 15:03 leeadh

@leeadh Happened the same, my problem was that my vault and nodejs are on k8s and i was using VAULT_HOST & VAULT_PORT env vars to pass some data. The problem was that k8s rewrites the VAULT_PORT env var since there is a Service called vault.

Use the env DEBUG=* to see which URL is trying to reach.

Original:

const options = {
  apiVersion: VAULT_API_VERSION,
  endpoint: `https://${VAULT_HOST}:${VAULT_PORT}`,
};

Translated at runtime to: https://myEnvVaultHost:tcp://10.105.92.8:443/v1/sys/seal-status cos k8s overrided my VAULT_PORT to tcp://10.105.92.8:443 instead of 443

Hopefully it helps...

infnada avatar Mar 14 '20 11:03 infnada

@leeadh - Just out of curiosity, are you trying to store a secret in a K/V engine that is version 1 or version 2?

Assuming its version 2, I think you're running in to the same issue that's described in #82.

Behind the scenes, the CLI is using the new paths (<mount point>/data/path/to/secret and <mount point>/metadata/data/path/to/secret).

owenfarrell avatar May 04 '20 20:05 owenfarrell

I tried setting the api version at options to v2 but it didn't work. Later I solved it by setting the version of the engine at v1, now it works like a charm. Hope this helps, even though I think its a potential bug.

0xArdi avatar Jun 13 '20 12:06 0xArdi

So the API version is still at version 1, even if the underlying secrets engine is K/V version 2.

I had to solve the same problem for my VisualStudio Code extension (which uses this library). My solution was to simply adapt the node-vault client as necessary based on the metadata associated with engine mount points.

One downside to my approach is that users don't necessarily have access to the mount point metadata. As a fallback, I prompt the user.

Example Implementation

owenfarrell avatar Jun 13 '20 18:06 owenfarrell

Closing due to staleness;; Feel free to reopen if the issue is still there

aviadhahami avatar Nov 10 '22 16:11 aviadhahami