[BUG] Get Vault Secrets responds with 404
Closed this issue · 1 comments
tkowalewski commented
Describe the bug
Get Vault Secrets responds with 404
To Reproduce
name: Rails - Install dependencies, run rspec and linters
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
main:
runs-on: ubuntu-latest
services:
db:
image: postgres:15
ports: ['5432:5432']
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: ""
POSTGRES_DB: postgres
POSTGRES_HOST_AUTH_METHOD: trust
redis:
image: redis:7
ports:
- 6379:6379
options: --entrypoint redis-server
vault:
image: vault:1.12.0
ports: ['8200:8200']
env:
VAULT_ADDR: "http://0.0.0.0:8200"
VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
steps:
- name: Import Secrets
uses: hashicorp/vault-action@v2.4.0
with:
url: http://localhost:8200
token: "vault-plaintext-root-token"
secrets: |
secret/data/0.1.0 RAILS_SERVE_STATIC_FILES | true;
secret/data/0.1.0 FAKE_INFLUENCE_VARIABLE | test;
secret/data/0.1.0 RAILS_ENV | test;
secret/data/0.1.0 DATABASE_URL | postgresql://postgres:@localhost/fake_influence_test;
secret/data/0.1.0 REDIS_URL | localhost:6379;
secret/data/0.1.0 SECRET_KEY_BASE | secretkeybase;
secret/data/0.1.0 RAILS_MASTER_KEY | 4e9599e019a1f68436a1df391569daa9
- name: Checkout code
uses: actions/checkout@v2
- name: Setup Ruby and install gems
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.1.2'
bundler-cache: true
- name: Run rspec
env:
PGHOST: localhost
PGUSER: postgres
RAILS_ENV: test
VAULT_ADDR: "http://localhost:8200"
VAULT_TOKEN: "vault-plaintext-root-token"
run: |
bin/rails db:create db:schema:load
bin/rake assets:precompile
bin/rspec
- name: Run security checks
run: |
bin/bundler-audit --update
bin/brakeman -q -w2
- name: Run linters
run: |
bin/rubocop --parallel
Expected behavior
Vault should only store secrets?
Log Output
Run hashicorp/vault-action@v2.4.0
with:
url: http://localhost:8200
token: vault-plaintext-root-token
secrets: secret/data/0.1.0 RAILS_SERVE_STATIC_FILES | true;
secret/data/0.1.0 FAKE_INFLUENCE_VARIABLE | test;
secret/data/0.1.0 RAILS_ENV | test;
secret/data/0.1.0 DATABASE_URL | ***localhost/fake_influence_test;
secret/data/0.1.0 REDIS_URL | localhost:6379;
secret/data/0.1.0 SECRET_KEY_BASE | secretkeybase;
secret/data/0.1.0 RAILS_MASTER_KEY | 4e9599e019a1f68436a1df39[15](https://github.com/paladinsoftware/fake_influence/actions/runs/3328185136/jobs/5504751275#step:3:15)69daa9
method: token
kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
exportToken: false
tlsSkipVerify: false
jwtTtl: 3600
::group::Get Vault Secrets
Get Vault Secrets
::endgroup::
Error: Response code 404 (Not Found)
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Import Secrets
maxcoulombe commented
Hey @tkowalewski ! Did you have any luck fixing the issue so the github action retrieves your secrets as expected?
It's a bit hard to troubleshoot without more information but some pointers:
- the Vault url is configured as http://localhost:8200, how did you make your setup so actions run in GitHub would have access to a Vault instance running on your own machine?
- I see the secrets you are trying to fetch is located at
secret/data/0.1.0, can you verify if querying this secret directly on your Vault instance works and paste here the response you get (without the actual sensitive values :P)?
vault read secret/data/0.1.0 - The value after the
|is used to define an environment variable where to save the retrieved secret if you do not want to use the default naming strategy of using the secret keys, but it looks like you are trying to use it to define default values? Could you try without overriding the resulting secret names to see if it helps:
secret/data/0.1.0 FAKE_INFLUENCE_VARIABLEetc.
All in all it seems like a configuration error more than a bug so I'll close the issue for now if that's ok. But if you still need help getting the vault-action to work and can try the suggestions above please re-open this issue and ping me!