Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require token when using auth logins #130

Open
MichaelSp opened this issue Oct 29, 2021 · 5 comments
Open

Don't require token when using auth logins #130

MichaelSp opened this issue Oct 29, 2021 · 5 comments
Labels
kind/enhancement Improvements or new features

Comments

@MichaelSp
Copy link

MichaelSp commented Oct 29, 2021
edited
Loading

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

The login with approle method doesn't work as described in https://registry.terraform.io/providers/hashicorp/vault/latest/docs#example-auth_login-usage

Steps to reproduce

The project doc says the VAULT_TOKEN is required, but according to the go-code, it shouldn't be required.

import * as vault from "@pulumi/vault";

vault.config.authLogins = [{
  path: `/auth/approle/login`,
  namespace: vault.config.namespace,
  parameters: {
    role_id: process.env.VAULT_APP_ROLE_ID!,
    secret_id: process.env.VAULT_APP_ROLE_SECRET_ID!
  }
}];


const ns1 = new vault.Namespace("ns1", {
  path: "ns1",
});

and

pulumi config set vault:namespace https://my.vault.instance/
pulumi config set vault:namespace myNamespace
export VAULT_APP_ROLE_ID=123-123-123
export VAULT_APP_ROLE_SECRET_ID=456-456-456

Expected:

  • Login with app-role and create new namespace

Actual: 

$ pulumi up                                                                                                                                                                                                                                               
Previewing update (seed):
     Type                      Name        Plan     Info
     pulumi:pulumi:Stack       infra-seed
     └─ vault:index:Namespace  ns1                  1 error

Diagnostics:
  vault:index:Namespace (ns1):
    error: no vault token found
@MichaelSp MichaelSp added the kind/bug Some behavior is incorrect or out of spec label Oct 29, 2021
@MichaelSp
Copy link
Author

MichaelSp commented Oct 29, 2021
edited
Loading

I also tried this:

import * as vault from "@pulumi/vault";

const provider = new vault.Provider("approle", {
  token: undefined as unknown as string,
  address: vault.config.address!,
  namespace: vault.config.namespace,
  authLogins: [{
    path: `/auth/approle/login`,
    namespace: vault.config.namespace,
    parameters: {
      role_id: process.env.VAULT_APP_ROLE_ID!,
      secret_id: process.env.VAULT_APP_ROLE_SECRET_ID!
    }
  }]
});

const ns1 = new vault.Namespace("ns1", {
  path: "ns1"
}, { provider });

but:

$ pulumi up
Previewing update (seed):
     Type                 Name        Plan     Info
     pulumi:pulumi:Stack  infra-seed           1 error

Diagnostics:
  pulumi:pulumi:Stack (infra-seed):
    error: Running program '/app/pulumi/infra' failed with an unhandled exception:
    Error: Missing required property 'token'
        at new Provider (/app/pulumi/infra/node_modules/@pulumi/provider.ts:45:23)
[...] etc...

@MichaelSp
Copy link
Author

This actually works, but it's quite confusing:

const vaultAppRoleLoginConfig: vault.types.output.config.AuthLogins = {
  path: `/auth/approle/login`,
  namespace: vault.config.namespace,
  parameters: {
    role_id: process.env.VAULT_APP_ROLE_ID!,
    secret_id: process.env.VAULT_APP_ROLE_SECRET_ID!
  }
};

export const vaultProvider = new vault.Provider("approle", {
  token: "you literally have to write some crap here, otherwise it will not work",
  address: vault.config.address!,
  namespace: vault.config.namespace,
  authLogins: [vaultAppRoleLoginConfig]
});

This would turn this bug into a minor one:
I'd suggest to not make the VAULT_TOKEN required. Quite strange that in the hcl version they don't have the token even if it says it is required 🤔 .

@leezen
Copy link

leezen commented Nov 2, 2021

Thanks for the suggestion. As there's no actual bug in functionality, I'm going to re-mark this issue as an enhancement.

@leezen leezen added kind/enhancement Improvements or new features and removed kind/bug Some behavior is incorrect or out of spec labels Nov 2, 2021
@leezen leezen changed the title approle login doesn't work: error: no vault token found Don't require token when using auth logins Nov 2, 2021
@asvinours
Copy link

I think this should be considered a bug, and not an enhancement, because the documentation says:

vault:token - (Required) Vault token that will be used by the provider to authenticate. May be set via the VAULT_TOKEN environment variable. If none is otherwise supplied, the provider will attempt to read it from ~/.vault-token (where the vault command stores its current token).

The issue is because the token attribute is mandatory, the provider cannot read the value from the environment variable nor from ~/.vault-token file. I understand the documentation might have been copied from the terraform repository, but this can easily cause confusion.

See https://github.com/pulumi/pulumi-vault/blob/master/sdk/python/README.md#configuration

@dgivens
Copy link

dgivens commented Feb 27, 2024

Just to add, when you run pulumi refresh and the token in the state is expired it fails. You have to run pulumi up first, so the state is updated with a valid token. You can't even run pulumi up --refresh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MichaelSp @leezen @dgivens @asvinours