Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom URL Path Support? #415

Open
coolhandluke747 opened this issue Aug 22, 2022 · 8 comments
Open

Custom URL Path Support? #415

coolhandluke747 opened this issue Aug 22, 2022 · 8 comments

Comments

@coolhandluke747
Copy link

For reasons unknown my organization uses semi different paths than what's expected/normal.

For example:
hashivault_token_lookup:
authtype: token
url: "https://vault.com"
token: "abcd"

This defaults to: https://vault.com/v1/auth/token/lookup
My organization uses: /v1/auth/token/lookup-self instead.

Is there anyway to add a custom path for these situations like the official community.hashi_vault modules do?
@TerryHowe
Copy link
Owner

This sounds like a vault api problem. What version of Vault are you running and what version of hvac is installed?

pip list | grep hvac

@coolhandluke747
Copy link
Author

Version 0.11.2 for HVAC.
I don't have access directly to the vault server to run vault version, commands etc, from the UI though it says:
Vault 1.5.4+prem

@coolhandluke747
Copy link
Author

Forgot to mention, I can do a rest call to the expected path in a external REST client and that works just fine. Are we running an older version of vault I'm guessing? So I might have to get older versions of your release?

@coolhandluke747
Copy link
Author

on /v1/auth/token/lookup
hvac.exceptions.Forbidden: 1 error occurred:
* permission denied

on /v1/auth/token/lookup-self
Response 200

What is the difference in permissions/this endpoint?

@TerryHowe
Copy link
Owner

I don't see any details on lookup vs lookup-self, but probably permissions mostly https://www.vaultproject.io/api-docs/auth/token I would have thought if you provided the same token as you used, it should work just like -self

@TerryHowe
Copy link
Owner

First step is don't pass lookup_token or token for that matter.

If that doesn't help, can you comment out these two lines in your module https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/ansible/modules/hashivault/hashivault_token_lookup.py#L58:L59 because according to the hvac source https://github.com/hvac/hvac/blob/develop/hvac/v1/__init__.py#L445 if there is no token passed, it will use the self path

@TerryHowe
Copy link
Owner

If that works, maybe open a PR with those two lines removed or at least verify, thanks

@coolhandluke747
Copy link
Author

I need to authenticate somehow so not passing a token or lookup token didn't work for me. I did see in the logs when I didn't pass a token that it tried using that lookup-self path for starters.
Error: hvac.exceptions.InvalidRequest: missing client token

I tried commenting out those two lines and it worked for me by doing the original:
hashivault_token_lookup:
authtype: token
url: "https://vault.com"
token: "abcd"

I can open a PR if you want. I'll do more testing with this.

@PhotoTeeborChoka PhotoTeeborChoka mentioned this issue Sep 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TerryHowe @coolhandluke747