hashicorp/vault-action

[BUG] - Vault action fails if the key does not contain a dot

Basil-V-Jose opened this issue · 7 comments

Vault server version

v1.14.1

vault-action version

v2.7.4

Describe the bug

I'm unable to retrieve secrets where key does not contains a dot via this action

To Reproduce

      - name: Retrieve secret from Vault
        uses: hashicorp/vault-action@v2.7.4
        with:
          method: jwt
          url: ${{ secrets.VAULT_URL }}
          namespace: ${{ secrets.NAMESPACE }}
          role: read-access
          secrets: |
            Sample/data/TEST/SHARED/DB 'username' | sharedTestDBUsername ;

Expected behavior

I expect the secret to be retrieved and put in env as needed. If I modify the key in vault to username.workaround, and edit the above yaml, action fetches the secret.

      - name: Retrieve secret from Vault
        uses: hashicorp/vault-action@v2.7.4
        with:
          method: jwt
          url: ${{ secrets.VAULT_URL }}
          namespace: ${{ secrets.NAMESPACE }}
          role: read-access
          secrets: |
            Sample/data/TEST/SHARED/DB 'username.workaround' | sharedTestDBUsername ;

Log Output

Error: Unable to retrieve result for data.data."'username'". No match data was found. Double check your Key or Selector.

Hi @Basil-V-Jose

Thanks for reporting this. If you are still having this issue, can you possibly provide more context such as the output of the KV secret read? That will help us investigate what may have occurred.

@robmonte

I am still having this issue.

Run hashicorp/vault-action@v2.5.0
  with:
    method: jwt
    url: https://vaultserver.company.com
    namespace: testNamespace
    role: read-access
    secrets: 
	mountpoint/data/TEST 'ldap.username' | ldapUsername ;
	mountpoint/data/TEST 'ecsAppId' | ecsAppId;
  
  
    tlsSkipVerify: true
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    exportToken: false
    jwtTtl: 3600

**Error: Unable to retrieve result for data.data."'ecsAppId'". No match data was found. Double check your Key or Selector.**

if I change ecsAppId to ecs.AppId , its able to fetch it. So that means ecsAppId is treated as single word and vault action failed to retrieve if key contains only single word.

@Basil-V-Jose Hello, can you please provide the output from the kv commands:

vault kv list mountpoint

vault kv get mountpoint/TEST

We need more information about your configuration to debug further. I am unable to reproduce the issue. I tried the following with v2.5.0, v2.7.4 and v3:

    - name: Import Secrets
      uses: hashicorp/vault-action@v2.5.0
      with:
        url: http://localhost:8200
        method: token
        token: testtoken
        secrets: |
          secret/data/foo bar | OUT1;
          secret/data/foo 'bar.2' | OUT2;

    - name: test
      run: |
        if [ -z "$OUT1" ];then
          echo "1 failed" && exit 1
        fi
        if [ -z "$OUT2" ];then
           echo "2 failed" && exit 1
        fi

Here is my kv output from Vault:

$ vault kv list -mount=secret
Keys
----
foo

$ vault kv get -mount=secret foo
= Secret Path =
secret/data/foo

======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T15:35:14.704078668Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

==== Data ====
Key      Value
---      -----
bar      baz
bar.2    baz.2

@fairclothjm

Please find my kv output from Vault:

vault kv list mountpoint
Keys
----
TEST
cwr
vault kv get -mount=mountpoint TEST
=== Secret Path ===
mountpoint/data/TEST

======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T15:34:28.17682695Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            8

======================= Data =======================
Key                                            Value
---                                            -----
ldap.username                                  uyhg78654
ecsAppId                                       appIdsdjsdh
ecs.AppId                                      appIdsdjsdh

Vault server version : v1.17.5
Vault action : v2.5.0

@Basil-V-Jose Thanks for that. Can you try removing the single quotes for the keys that don't contain dot characters?

-mountpoint/data/TEST 'ecsAppId' | ecsAppId;
+mountpoint/data/TEST ecsAppId | ecsAppId;

@fairclothjm , I removed the single quotes for the keys that don't contain dot characters and its able to fetch the secrets now.

@Basil-V-Jose Glad to hear the issue is resolved! :)