Consuming HashiCorp Vault API With .NET Core HTTP Client
Its been a while since the last time I did some code in .NET, so to keep the habit, today I bring a tutorial on how to consume HashiCorp Vault with Microsoft .NET Core.
As most of us know HashiCorp Vault is API-driven, which means it can be consumed virtually from anywhere; so I wanted to test it out with .NET Core.
Requirements:
- Visual Studio 2019 or Visual Studio Code.
- .NET Core library
- HashiCorp Vault
- Terminal
HashiCorp Vault Setup
- Open a terminal and initialize your Vault Server and export its Vault Address. For this example, I’m going to start my server in DEV Mode.(See Shortcut below)
vault server -devOutput:
==> Vault server configuration:Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.3.3+premWARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.You may need to set the following environment variable:$ export VAULT_ADDR='http://127.0.0.1:8200'The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.Unseal Key: 4vV9GsIiZ2G2c0UqEAYtUM625xa29JcteXQvOk/sfx4=
Root Token: s.JCrC5sK61rixB92SHXAqvKS0
2. Set up the VAULT_ADDR:
- PowerShell:
$env:VAULT_ADDR='http://127.0.0.1:8200'- Elsewhere (Unix-based):
export VAULT_ADDR='http://127.0.0.1:8200'Shortcut!
vault server -dev -dev-root-token-id=<SomePassword> -dev-listen-address="127.0.0.1:8200"Secret Creation
For this, we need to open a second Terminal beside the one running HashiCorp Vault.
- We are going to create a secret named person using the secrets engine version 2 and we are going to set two key-value pairs in our secret, in this case, name=marco and lastname=urrea.
vault kv put secret/person name=marco lastName=urreaOutput:
Key Value
--- -----
created_time 2020-03-08T09:49:44.8794859Z
deletion_time n/a
destroyed false
version 1As seen on the output, this is the first version of our secret. Now Its time to retrieve it.
Consulting a secret
To retrieve our secret, let’s use the following command.
vault kv get secret/personOutput:
====== Metadata ======
Key Value
--- -----
created_time 2020-03-08T09:49:44.8794859Z
deletion_time n/a
destroyed false
version 1====== Data ======
Key Value
--- -----
lastName urrea
name marco
Notice in the output that HashiCorp Vault sorts in alphabetical order the contents of our secret by key.
.NET Core HTTP Client
For this example, I used Visual Studio 2019.
- Open Visual Studio 2019, on the right, click Create a new project.
2. Select Console app (.Net Core) and click Next.
3. Give your project a nice name and click Create.
We need to install two packages.
4. Go to Tools > NuGet Package Manager > Manage Nuget Packages for Solution…
5. In the browse tab, search and install Microsoft.AspNet.WebApi.Client and Newtonsoft.Json. The first library is used to make the HTTP call and the second one to manipulate the JSON data.
6. Explained code below, notice how the URL changes compared to the command line, from secret/person to secret/data/person
Output:
Going back to the explanation, within the JSON we have two “data” structures nested. We took care of that on line 29 of the code to access our secrets, and then we transform that into a dictionary for further manipulation in case it is required.
Conclusion
HashiCorp Vault API is very easy to use and it can be consumed quite easily through an HTTP call using .Net. the only difference when using the command line is having to add /data/ between secret and the secret name.
Finally, If you liked the article, please hit the follow button and leave lots of claps!
References
