hashicorp/vault-action

[BUG] The Vault action fails if the secret key contains a dot

AlexandarNaydenov opened this issue · 6 comments

Vault server version

Vault 1.14.3 enterprise

vault-action version

v2.7.4

Describe the bug

The Vault Action fails if the secret key contains a dot.
Example: secret.token

To Reproduce

The yaml of the vault-action step:

steps:
      - name: Get Secrets from Vault
        uses: hashicorp/vault-action@v2
        with:
          url: https://vault...
          namespace: some-namespace
          secrets: |
            kv/data/path/secret secret_token | SECRET_TOKEN1 ;
            kv/data/path/secret secret.token | SECRET_TOKEN2 ;

The first example with secret key secret_token works without problem, but ok the second one fails with an error log:

::error::Unable to retrieve result for data.data.secret.token. No match data was found. Double check your Key or Selector.

Screenshot of the Vault UI:

Screenshot 2023-11-17 at 17 08 05

Expected behavior

To work with both secret keys.

Hi @AlexandarNaydenov ! I am sorry you are having trouble. Can you try to use single quotes around the key?

          secrets: |
            kv/data/path/secret 'secret.token' | SECRET_TOKEN1 ;

I believe that should allow proper handling of the dot character.

I am dealing with a similar issue but with a space character instead of a dot.

      secrets: |
        kv/data/path/secret 'secret token' | SECRET_TOKEN1 ;

Should this work, or are spaces not allowed in the name of the secret token?
Should I make a new ticket for this? Or would should they have the same fix (I've tried wrapping it in single quotes as you recommended above but that didn't see to work, curious if it will for '.'

Hi @mourtallah, @fairclothjm,
I have tried both "secret.token" and 'secret.token' and it didn't worked. The error is still the same.

According to the JSONata docs, the correct character for quoting is the backtick

Have you tried:

`secret.token`

and

`secret token`

?

This works for me by enclosing the key within square brackets.

secrets: |
  kv/data/path/secret [secret.token] | SECRET_TOKEN1 ;

Closing since @andyspiers's link to the JSONata docs seems to resolve the issue. https://docs.jsonata.org/simple

Field references containing whitespace or reserved tokens can be enclosed in backticks

Please reopen an issue if you are still encountering trouble.