Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Display vault approle name and policies in case of a failure #2117

Open
tewfik-ghariani opened this issue Aug 10, 2023 · 5 comments
Open

Display vault approle name and policies in case of a failure #2117

tewfik-ghariani opened this issue Aug 10, 2023 · 5 comments
Milestone

Comments

@tewfik-ghariani
Copy link

Hii,

First of all thanks for all of your efforts and the great tool you have implemented

I have a specific use case that I would like to share:
We are using gomplate to fetch data from vault across many CI/CD pipelines and sometimes the vault approle in-use does not have permissions to access the specified vault path

At that point, we cannot quickly identify which method was used to authenticate, and what are the enabled policies.

Example

13:06:57 ERR  error="failed to render template /tmp/common.ymlm0nu1xfx: 
template: /tmp/common.ymlm0nu1xfx:47:15: 
executing "/tmp/common.ymlm0nu1xfx" at <datasource "vault" "test/secrets/data/services/value">: 
error calling datasource: 
Couldn't read datasource 'vault': Error making API request.

URL: GET https://vault.hostname:8200/v1/test/secrets/data/services/value
Code: 403. 

Errors:
* 1 error occurred:
   * permission denied

It would be really nice to additionally display some information about the authentication method as well as the policies

It might be possible to simply lookup the generated token and retrieve its meta information:
e.g

Authenticated with approle using role=role-name 
or
Authenticated with token using user=user-name
policies=['private', 'default', 'other-ro']
Token expires on: 2023-08-10 13:20
Token type: session/batch

My request is mainly about the approle but if it makes sense to apply it to all auth methods, it would be better

Additionally, this does not have to be only in case of a failure, if you prefer to provide a flag that allows the display of such information before reading any values, it could work as well ^^

@github-actions
Copy link

github-actions bot commented Oct 9, 2023

This issue is stale because it has been open for 60 days with no
activity. If it is no longer relevant or necessary, please close it.
Given no action, it will be closed in 14 days.

If it's still relevant, one of the following will remove the stale
marking:

  • A maintainer can add this issue to a milestone to indicate that
    it's been accepted and will be worked on
  • A maintainer can remove the stale label
  • Anyone can post an update or other comment

@github-actions github-actions bot added the Stale label Oct 9, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 24, 2023
@hairyhenderson
Copy link
Owner

Sorry for the delay on this. It may be possible to provide debug logs with this information - This'll need to go into https://github.com/hairyhenderson/go-fsimpl however, as the next major release of gomplate will use that module for the Vault datasource (and authentication).

@hairyhenderson
Copy link
Owner

Given that this is work that needs to be done in go-fsimpl, I'll transfer it there!

@hairyhenderson hairyhenderson transferred this issue from hairyhenderson/gomplate May 12, 2024
@hairyhenderson
Copy link
Owner

I looked into this briefly, and it's going to be quite a bit more complex than I thought. The authentication is all delegated to the various vault packages at https://github.com/hashicorp/vault/blob/main/api/auth

At the least, it would be possible to display which auth method was used. But that really only makes sense if it's always logged (at debug level, of course). It could get verbose quickly!

I'm going to move this back to the gomplate repo. The go-fsimpl module currently doesn't do any logging and I'd rather not start now.

@hairyhenderson hairyhenderson transferred this issue from hairyhenderson/go-fsimpl Jun 17, 2024
@hairyhenderson hairyhenderson added this to the future milestone Jun 17, 2024
@hairyhenderson
Copy link
Owner

Also removing this from the v4 project so as not to hold up the release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants