vault unwrap error: Invalid path for a versioned K/V secrets engine. #4711

xueshanf · 2018-06-06T21:41:40Z

Describe the bug

vault unwrap error: Invalid path for a versioned K/V secrets engine.

To Reproduce
Steps to reproduce the behavior:

Create a secret:

$ vault kv put secret/foo user="foo" password="bar"`

Create a wrap token:

$ vault kv get -wrap-ttl=10m  secret/foo
Key                              Value
---                              -----
wrapping_token:                  65a98aa4-26ee-38a1-e4c7-4d5d76402da9
wrapping_accessor:               982e67d7-89e2-c1f9-5643-5da2463004cf
wrapping_token_ttl:              10m
wrapping_token_creation_time:    2018-06-06 21:29:46.468934983 +0000 UTC
wrapping_token_creation_path:    secret/foo

Unwrap

$ vault unwrap 65a98aa4-26ee-38a1-e4c7-4d5d76402da9
vault unwrap 65a98aa4-26ee-38a1-e4c7-4d5d76402da9
Key                  Value
---                  -----
http_content_type    application/json
http_raw_body        eyJyZXF1ZXN0X2lkIjoiOTZiMmViYTItMGE5Mi0zYmFlLThhYWUtYmYyMmNmNjllN2I5IiwibGVhc2VfaWQiOiIiLCJyZW5ld2FibGUiOmZhbHNlLCJsZWFzZV9kdXJhdGlvbiI6MCwiZGF0YSI6bnVsbCwid3JhcF9pbmZvIjpudWxsLCJ3YXJuaW5ncyI6WyJJbnZhbGlkIHBhdGggZm9yIGEgdmVyc2lvbmVkIEsvViBzZWNyZXRzIGVuZ2luZS4gU2VlIHRoZSBBUEkgZG9jcyBmb3IgdGhlIGFwcHJvcHJpYXRlIEFQSSBlbmRwb2ludHMgdG8gdXNlLiBJZiB1c2luZyB0aGUgVmF1bHQgQ0xJLCB1c2UgJ3ZhdWx0IGt2IGdldCcgZm9yIHRoaXMgb3BlcmF0aW9uLiJdLCJhdXRoIjpudWxsfQ==
http_status_code     404

Decode the error:

echo "eyJyZXF1ZXN0X2lkIjoiOTZiM..[snip]...WxsfQ==" | base64 -D

{"request_id":"96b2eba2-0a92-3bae-8aae-bf22cf69e7b9","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."],"auth":null}

Expected behavior
I can make it work if I run vault kv get -wrap-ttl=10m secret/data/foo. Note that I inserted data prefix in the path, then vault unwrap returns valid data:

vault unwrap -format=json 4b19a5b0-8ea4-e502-9580-5e152e9cebf1
{
  "request_id": "a4bf21e0-6ec1-90ec-3379-b0c111077845",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "data": {
      "password": "bar",
      "user": "foo"
    },
    "metadata": {
      "created_time": "2018-06-06T21:21:19.249674019Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 2
    }
  },
  "warnings": null
}

I would expect vault kv get -wrap-ttl=10m secret/foo work as before (like kv 1), to keep it consistent with other vault kv command?

Environment:

Vault Server Version

$ vault status -format=json | jq -r '.version'
0.10.1

Vault CLI Version (retrieve with vault version)

$ vault -version
Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')

Server Operating System/Architecture:
CoreOS on AWS

The text was updated successfully, but these errors were encountered:

jefferai · 2018-06-06T22:40:48Z

Already fixed by #4511

bladeandmaster88 · 2021-04-14T09:31:41Z

官网这些代码会报错
`
VaultTemplate vaultTemplate = new VaultTemplate(new VaultEndpoint(),
new TokenAuthentication("00000000-0000-0000-0000-000000000000"));

    Secrets secrets = new Secrets();
    secrets.username = "hello";
    secrets.password = "world";

    vaultTemplate.write("secret/myapp", secrets);

`

jefferai closed this as completed Jun 6, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vault unwrap error: Invalid path for a versioned K/V secrets engine. #4711

vault unwrap error: Invalid path for a versioned K/V secrets engine. #4711

xueshanf commented Jun 6, 2018

jefferai commented Jun 6, 2018

bladeandmaster88 commented Apr 14, 2021 •

edited

Loading

vault unwrap error: Invalid path for a versioned K/V secrets engine. #4711

vault unwrap error: Invalid path for a versioned K/V secrets engine. #4711

Comments

xueshanf commented Jun 6, 2018

jefferai commented Jun 6, 2018

bladeandmaster88 commented Apr 14, 2021 • edited Loading

bladeandmaster88 commented Apr 14, 2021 •

edited

Loading