'client nonce mismatch' when using AWS auth with nonce

[adaphi]

When using VAULT_AUTH_AWS_NONCE_OUTPUT in combination with VAULT_AUTH_AWS_NONCE_FILE, the nonce value is not used correctly, making gomplate unable to authenticate.

When no value exists, gomplate authenticates and writes out the nonce value:

[centos@ip-10-101-207-71 ~]$ touch nonce
[centos@ip-10-101-207-71 ~]$ export VAULT_AUTH_AWS_NONCE_FILE="$(pwd)/nonce"
[centos@ip-10-101-207-71 ~]$ export VAULT_AUTH_AWS_NONCE_OUTPUT="$(pwd)/nonce"
[centos@ip-10-101-207-71 ~]$ echo '{{(datasource "vault" "secret/test").value}}' | gomplate --datasource vault=vault://
foo
[centos@ip-10-101-207-71 ~]$ cat nonce
6890ac46-c75c-0c28-2570-f44e11d35860

But running the same command a second time throws an error:

[centos@ip-10-101-207-71 ~]$ echo '{{(datasource "vault" "secret/test").value}}' | gomplate --datasource vault=vault://
2017/09/13 13:02:08 AWS EC2 logon failedError making API request.

URL: PUT https://vault.cloud.local:443/v1/auth/aws/login
Code: 400. Errors:

* client nonce mismatch

It appears that this is because of the trailing newline in the file, as it works if you remove it:

[centos@ip-10-101-207-71 ~]$ echo -n "6890ac46-c75c-0c28-2570-f44e11d35860" > nonce
[centos@ip-10-101-207-71 ~]$ echo '{{(datasource "vault" "secret/test").value}}' | gomplate --datasource vault=vault://
foo

Presumably gomplate should either not include the trailing newline, or should be able to strip it when it reads the file?

[hairyhenderson]

Thanks for logging this, @adaphi

Indeed, we are adding a \n here: https://github.com/hairyhenderson/gomplate/blob/master/vault/auth.go#L205

@stuart-c can you shed some light on this? Is there a reason why a \n is being explicitly added? Seems to me the fix is simple (just remove that character), but I haven't had a chance to dig deeply into these nonces yet, so I'm not 100% certain.