grafana · mattdurham · Sep 6, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
@@ -68,6 +68,10 @@ Main (unreleased)
   for `discovery.*`  is reloaded in such a way that no new targets were
   discovered. (@ptodev, @thampiotr)
 
+- Fixed an issue (see https://github.com/grafana/alloy/issues/1599) where specifying both path and key in the remote.vault `path`
+  configuration could result in incorrect URLs. The `path` and `key` arguments have been separated to allow for clear and accurate
+  specification of Vault secrets. (@PatMis16)
+
 ### Other
 
 - Renamed standard library functions. Old names are still valid but are marked deprecated. (@wildum)

@@ -23,6 +23,7 @@ labels.
 remote.vault "LABEL" {
   server = "VAULT_SERVER"
   path   = "VAULT_PATH"
+  key    = "VAULT_KEY"
 
   // Alternatively, use one of the other auth.* mechanisms.
   auth.token {
@@ -40,6 +41,7 @@ Name               | Type       | Description
 `server`           | `string`   | The Vault server to connect to.                            |         | yes
 `namespace`        | `string`   | The Vault namespace to connect to (Vault Enterprise only). |         | no
 `path`             | `string`   | The path to retrieve a secret from.                        |         | yes
+`key`              | `string`   | The key to retrive a secret from.                          |         | yes
 `reread_frequency` | `duration` | Rate to re-read keys.                                      | `"0s"`  | no
 
 Tokens with a lease will be automatically renewed roughly two-thirds through their lease duration.
@@ -290,7 +292,8 @@ local.file "vault_token" {
 
 remote.vault "remote_write" {
   server = "https://prod-vault.corporate.internal"
-  path   = "secret/prometheus/remote_write"
+  path   = "secret"
+  key    = "prometheus/remote_write
 
   auth.token {
     token = local.file.vault_token.content

@@ -2,8 +2,6 @@ package vault
 
 import (
 	"context"
-	"fmt"
-	"strings"
 
 	vault "github.com/hashicorp/vault/api"
 )
@@ -19,14 +17,8 @@ type secretStore interface {
 type kvStore struct{ c *vault.Client }
 
 func (ks *kvStore) Read(ctx context.Context, args *Arguments) (*vault.Secret, error) {
-	// Split the path so we know which kv mount we want to use.
-	pathParts := strings.SplitN(args.Path, "/", 2)
-	if len(pathParts) != 2 {
-		return nil, fmt.Errorf("missing mount path in %q", args.Path)
-	}
-
-	kv := ks.c.KVv2(pathParts[0])
-	kvSecret, err := kv.Get(ctx, pathParts[1])
+	kv := ks.c.KVv2(args.Path)
+	kvSecret, err := kv.Get(ctx, args.Key)
 	if err != nil {
 		return nil, err
 	}

@@ -35,6 +35,7 @@ type Arguments struct {
 	Namespace string `alloy:"namespace,attr,optional"`
 
 	Path string `alloy:"path,attr"`
+	Key string `alloy:"key,attr"`
 
 	RereadFrequency time.Duration `alloy:"reread_frequency,attr,optional"`
 

@@ -37,7 +37,8 @@ func Test_GetSecrets(t *testing.T) {
 
 	cfg := fmt.Sprintf(`
 		server = "%s"
-		path   = "secret/test"
+		path   = ""
+  		secret = "secret/test"
 
 		reread_frequency = "0s"
 
@@ -86,7 +87,8 @@ func Test_PollSecrets(t *testing.T) {
 
 	cfg := fmt.Sprintf(`
 		server = "%s"
-		path   = "secret/test"
+		path   = ""
+  		key = "secret/test"
 
 		reread_frequency = "100ms"