[BUG] Unable to retrieve entry which key contains a dot
egavard opened this issue · 4 comments
Describe the bug
I'm unable to retrieve secrets which key contains a dot via this action, whereas the CLI can do it.
To Reproduce
- name: 'Retrieve secrets from Vault'
uses: hashicorp/vault-action@v2
with:
url: ${{ secrets.VAULT_URL }}
namespace: admin
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/data/${{inputs.environment}}/${{inputs.appname}} environment | DEPLOY_ENVIRONMENT ;
secret/data/${{inputs.environment}}/${{inputs.appname}} namespace | DEPLOY_NAMESPACE ;
secret/data/${{inputs.environment}}/${{inputs.appname}} adminUserId | ADMIN_USER_ID ;
secret/data/${{inputs.environment}}/${{inputs.appname}} processingUserId | PROCESSING_USER_ID ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.host | DATABASE_HOST ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.legacySchema | DATABASE_LEGACY_SCHEMA ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.name | DATABBASE_NAME ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.password | DATABASE_PASSWORD ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.schema | DATABASE_SCHEMA ;
secret/data/${{inputs.environment}}/${{inputs.appname}} database.user | DATABASE_USER ;
Expected behavior
I expect the secret to be retrieved and put in env as needed.
Log Output
##[debug]Evaluating condition for step: 'Retrieve secrets from Vault'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Retrieve secrets from Vault
##[debug]Loading inputs
##[debug]Evaluating: secrets.VAULT_URL
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_URL'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: secrets.VAULT_ROLE_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_ROLE_ID'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: secrets.VAULT_SECRET_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_SECRET_ID'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]secret/data/{0}/{1} environment | DEPLOY_ENVIRONMENT ;
##[debug]secret/data/{2}/{3} namespace | DEPLOY_NAMESPACE ;
##[debug]secret/data/{4}/{5} adminUserId | ADMIN_USER_ID ;
##[debug]secret/data/{6}/{7} processingUserId | PROCESSING_USER_ID ;
##[debug]secret/data/{8}/{9} database.host | DATABASE_HOST ;
##[debug]secret/data/{10}/{11} database.legacySchema | DATABASE_LEGACY_SCHEMA ;
##[debug]secret/data/{12}/{13} database.name | DATABBASE_NAME ;
##[debug]secret/data/{14}/{15} database.password | DATABASE_PASSWORD ;
##[debug]secret/data/{16}/{17} database.schema | DATABASE_SCHEMA ;
##[debug]secret/data/{18}/{19} database.user | DATABASE_USER ;
##[debug]', inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname, inputs.environment, inputs.appname)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]secret/data/{0}/{1} environment | DEPLOY_ENVIRONMENT ;
##[debug]secret/data/{2}/{3} namespace | DEPLOY_NAMESPACE ;
##[debug]secret/data/{4}/{5} adminUserId | ADMIN_USER_ID ;
##[debug]secret/data/{6}/{7} processingUserId | PROCESSING_USER_ID ;
##[debug]secret/data/{8}/{9} database.host | DATABASE_HOST ;
##[debug]secret/data/{10}/{11} database.legacySchema | DATABASE_LEGACY_SCHEMA ;
##[debug]secret/data/{12}/{13} database.name | DATABBASE_NAME ;
##[debug]secret/data/{14}/{15} database.password | DATABASE_PASSWORD ;
##[debug]secret/data/{16}/{17} database.schema | DATABASE_SCHEMA ;
##[debug]secret/data/{18}/{19} database.user | DATABASE_USER ;
##[debug]'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'dev'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'appname'
##[debug]..=> 'tile-api'
##[debug]secret/data/dev/tile-api environment | DEPLOY_ENVIRONMENT ;
##[debug]secret/data/dev/tile-api namespace | DEPLOY_NAMESPACE ;
##[debug]secret/data/dev/tile-api adminUserId | ADMIN_USER_ID ;
##[debug]secret/data/dev/tile-api processingUserId | PROCESSING_USER_ID ;
##[debug]secret/data/dev/tile-api database.host | DATABASE_HOST ;
##[debug]secret/data/dev/tile-api database.legacySchema | DATABASE_LEGACY_SCHEMA ;
##[debug]secret/data/dev/tile-api database.name | DATABBASE_NAME ;
##[debug]secret/data/dev/tile-api database.password | DATABASE_PASSWORD ;
##[debug]secret/data/dev/tile-api database.schema | DATABASE_SCHEMA ;
##[debug]secret/data/dev/tile-api database.user | DATABASE_USER ;
##[debug]'
##[debug]Result: 'secret/data/dev/tile-api environment | DEPLOY_ENVIRONMENT ;
##[debug]secret/data/dev/tile-api namespace | DEPLOY_NAMESPACE ;
##[debug]secret/data/dev/tile-api adminUserId | ADMIN_USER_ID ;
##[debug]secret/data/dev/tile-api processingUserId | PROCESSING_USER_ID ;
##[debug]secret/data/dev/tile-api database.host | DATABASE_HOST ;
##[debug]secret/data/dev/tile-api database.legacySchema | DATABASE_LEGACY_SCHEMA ;
##[debug]secret/data/dev/tile-api database.name | DATABBASE_NAME ;
##[debug]secret/data/dev/tile-api database.password | DATABASE_PASSWORD ;
##[debug]secret/data/dev/tile-api database.schema | DATABASE_SCHEMA ;
##[debug]secret/data/dev/tile-api database.user | DATABASE_USER ;
##[debug]secret/data/dev/tile-api deployIngressRoutes | DEPLOY_INGRESS_ROUTES ;
##[debug]secret/data/dev/tile-api deployTraefikRoutes | DEPLOY_TRAEFIK_ROUTES ;
##[debug]secret/data/dev/tile-api generateCertificate | GENERATE_CERTIFICATES ;
##[debug]secret/data/dev/tile-api ingress.cors[0].host | CORS_HOST_0 ;
##[debug]secret/data/dev/tile-api ingress.cors[1].host | CORS_HOST_1 ;
##[debug]secret/data/dev/tile-api ingress.cors[2].host | CORS_HOST_2 ;
##[debug]secret/data/dev/tile-api ingress.cors[3].host | CORS_HOST_3 ;
##[debug]secret/data/dev/tile-api ingress.cors[4].host | CORS_HOST_4 ;
##[debug]secret/data/dev/tile-api ingress.hosts[0].host | INGRESS_HOST ;
##[debug]secret/data/dev/tile-api oauth.issuerUrl | OAUTH_ISSUER_URL ;
##[debug]secret/data/dev/tile-api oauth.clientId | OAUTH_CLIENT_ID ;
##[debug]secret/data/dev/tile-api oauth.clientSecret | OAUTH_CLIENT_SECRET ;
##[debug]secret/data/dev/tile-api sentry.dsn | SENTRY_DSN ;
##[debug]secret/data/dev/tile-api sentry.environment | SENTRY_ENVIRONMENT ;
##[debug]'
##[debug]Loading env
Run hashicorp/vault-action@v2
with:
url: ***
namespace: admin
method: approle
roleId: ***
secretId: ***
secrets: secret/data/dev/tile-api environment | DEPLOY_ENVIRONMENT ;
secret/data/dev/tile-api namespace | DEPLOY_NAMESPACE ;
secret/data/dev/tile-api adminUserId | ADMIN_USER_ID ;
secret/data/dev/tile-api processingUserId | PROCESSING_USER_ID ;
secret/data/dev/tile-api database.host | DATABASE_HOST ;
secret/data/dev/tile-api database.legacySchema | DATABASE_LEGACY_SCHEMA ;
secret/data/dev/tile-api database.name | DATABBASE_NAME ;
secret/data/dev/tile-api database.password | DATABASE_PASSWORD ;
secret/data/dev/tile-api database.schema | DATABASE_SCHEMA ;
secret/data/dev/tile-api database.user | DATABASE_USER ;
kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
exportToken: false
tlsSkipVerify: false
jwtTtl: 3600
::group::Get Vault Secrets
Get Vault Secrets
##[debug]Retrieving Vault Token from v1/auth/approle/login endpoint
##[debug]✔ Vault Token successfully retrieved
::group::Token Info
Token Info
##[debug]Operating under policies: ["default","jenkins"]
##[debug]Token Metadata: {"role_name":"jenkins"}
::endgroup::
::endgroup::
Error: Unable to retrieve result for data.data.database.host. No match data was found. Double check your Key or Selector.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Retrieve secrets from Vault
Additional context
EDIT: More likely related to the way the data are explored via jsonata
I have the same issue as well
Error: Unable to retrieve result for data.data.hasura.admin.secret. No match data was found. Double check your Key or Selector.
Having gone through the code, this doesn't look like an easy fix. Both the secret key passed and the keys in the response body data
would have to be transformed to replace dots with underscore or something, similar to what is done for the output environment variable.
Having gone through the code, this doesn't look like an easy fix. Both the secret key passed and the keys in the response body
data
would have to be transformed to replace dots with underscore or something, similar to what is done for the output environment variable.
i stand corrected. This does not need to be fixed at all.
I managed to get it working by using backticks in the selector name. E.g.:
-
For top level object key with dots in the name:
secrets: secret/data/ci/aws `hasura.admin.secret` | HASURA_ADMIN_SECRET;
-
For nested object key with dots, it should work like this:
secrets: secret/data/ci/aws hasura.`admin.secret` | HASURA_ADMIN_SECRET;
Note: I have only tested option 1 and not option 2 via GitHub action runners, but based on the jsonata playground, it should work. I have the input selector parsing logic tested here: https://runkit.com/porcupinesourcream/vault-action-jsonata-selector
On a side note, i think the action documentation should specify that the selector is a jsonata query and include the documentation link to it.
https://docs.jsonata.org/overview.html
Closed by #455