Transit Secrets Engine Batch Results Show 'error' in the Audit Logs

Avatar
Nestor Reyes
  • Updated

Problem

When submitting data to be decrypted to the transit secrets engine in a batch method, the audit logs will show two key value pairs in the batch_results array plaintext and error

How would one decode the error key value pair to identify if one of the results in the batch has an error?

Example Response from the transit secrets engine from the API (no key error returned).

  {
"request_id": "6ec94778-54f2-923d-54bc-2be3496e16a2",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
  "batch_results": [
    {
     "plaintext": "dGVzdDEK"
    },
    {
     "plaintext": "dGVzdDIK"
    },
    {
     "plaintext": "dGVzdDMK"
    }
  ]
}

Example response output from the Audit log (error key returned). 

"data": {
      "batch_results": [
        {
          "plaintext": "hmac-sha256:2427cae1e95bef7a9020ded03740f4476fe12e7add2920471cd8483b917e1285",
          "error": "hmac-sha256:e58804117ee9e9393a75199e7a86b7e3bac20227b453e903dc66f46d6b2b4681"
        },
        {
          "plaintext": "hmac-sha256:e3c55a885a90887cde16c5a0d62a57c944474116ffed8e6c7e361fdb649512b2",
          "error": "hmac-sha256:e58804117ee9e9393a75199e7a86b7e3bac20227b453e903dc66f46d6b2b4681"
        },
        {
          "plaintext": "hmac-sha256:cd211fdd119c6fda86831eb9f3d12be51f565093dd834e8b2ceac2e9086f5693",
          "error": "hmac-sha256:e58804117ee9e9393a75199e7a86b7e3bac20227b453e903dc66f46d6b2b4681"
        }


Solution:

The presence of the "error" key value pair in the audit log is expected in the batch_results array for a good batch response. It does not necessarily mean there is indeed an error in the batch. If the same hmac is shown throughout the audit log, this likely indicates the output has returned "" (double quotes).

To confirm, submit a json input with double quotes to sys/audit-hash/file endpoint.

Example:

curl --header "X-Vault-Token: $VAULT_TOKEN" --data @input.json\
--request POST $VAULT_ADDR/v1/sys/audit-hash/file

Example Payload:

{
  "input": ""
}

This API request will return an error as submitting an empty json for the input is not expected, however, the audit log should still log the input from the API request, which should match the error key HMAC that was previously observed in the batch results. 

Example from the audit log when submitting . 

"path": "sys/audit-hash/file",
    "data": {
      "input": "hmac-sha256:e58804117ee9e9393a75199e7a86b7e3bac20227b453e903dc66f46d6b2b4681"
    }

 

Additional Information

A feature request has been submitted to improve the way the audit log is displayed for batch_results. 

 

Articles in this section

See more

Related articles