[BUG] - Vault action fails if the key does not contain a dot
Basil-V-Jose opened this issue · 7 comments
Vault server version
v1.14.1
vault-action version
v2.7.4
Describe the bug
I'm unable to retrieve secrets where key does not contains a dot via this action
To Reproduce
- name: Retrieve secret from Vault
uses: hashicorp/vault-action@v2.7.4
with:
method: jwt
url: ${{ secrets.VAULT_URL }}
namespace: ${{ secrets.NAMESPACE }}
role: read-access
secrets: |
Sample/data/TEST/SHARED/DB 'username' | sharedTestDBUsername ;
Expected behavior
I expect the secret to be retrieved and put in env as needed. If I modify the key in vault to username.workaround, and edit the above yaml, action fetches the secret.
- name: Retrieve secret from Vault
uses: hashicorp/vault-action@v2.7.4
with:
method: jwt
url: ${{ secrets.VAULT_URL }}
namespace: ${{ secrets.NAMESPACE }}
role: read-access
secrets: |
Sample/data/TEST/SHARED/DB 'username.workaround' | sharedTestDBUsername ;
Log Output
Error: Unable to retrieve result for data.data."'username'". No match data was found. Double check your Key or Selector.
Thanks for reporting this. If you are still having this issue, can you possibly provide more context such as the output of the KV secret read? That will help us investigate what may have occurred.
I am still having this issue.
Run hashicorp/vault-action@v2.5.0
with:
method: jwt
url: https://vaultserver.company.com
namespace: testNamespace
role: read-access
secrets:
mountpoint/data/TEST 'ldap.username' | ldapUsername ;
mountpoint/data/TEST 'ecsAppId' | ecsAppId;
tlsSkipVerify: true
kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
exportToken: false
jwtTtl: 3600
**Error: Unable to retrieve result for data.data."'ecsAppId'". No match data was found. Double check your Key or Selector.**
if I change ecsAppId to ecs.AppId , its able to fetch it. So that means ecsAppId is treated as single word and vault action failed to retrieve if key contains only single word.
@Basil-V-Jose Hello, can you please provide the output from the kv commands:
vault kv list mountpoint
vault kv get mountpoint/TEST
We need more information about your configuration to debug further. I am unable to reproduce the issue. I tried the following with v2.5.0, v2.7.4 and v3:
- name: Import Secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: http://localhost:8200
method: token
token: testtoken
secrets: |
secret/data/foo bar | OUT1;
secret/data/foo 'bar.2' | OUT2;
- name: test
run: |
if [ -z "$OUT1" ];then
echo "1 failed" && exit 1
fi
if [ -z "$OUT2" ];then
echo "2 failed" && exit 1
fi
Here is my kv output from Vault:
$ vault kv list -mount=secret
Keys
----
foo
$ vault kv get -mount=secret foo
= Secret Path =
secret/data/foo
======= Metadata =======
Key Value
--- -----
created_time 2024-10-10T15:35:14.704078668Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
bar baz
bar.2 baz.2
Please find my kv output from Vault:
vault kv list mountpoint
Keys
----
TEST
cwr
vault kv get -mount=mountpoint TEST
=== Secret Path ===
mountpoint/data/TEST
======= Metadata =======
Key Value
--- -----
created_time 2024-10-10T15:34:28.17682695Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 8
======================= Data =======================
Key Value
--- -----
ldap.username uyhg78654
ecsAppId appIdsdjsdh
ecs.AppId appIdsdjsdh
Vault server version : v1.17.5
Vault action : v2.5.0
@Basil-V-Jose Thanks for that. Can you try removing the single quotes for the keys that don't contain dot characters?
-mountpoint/data/TEST 'ecsAppId' | ecsAppId;
+mountpoint/data/TEST ecsAppId | ecsAppId;
@fairclothjm , I removed the single quotes for the keys that don't contain dot characters and its able to fetch the secrets now.
@Basil-V-Jose Glad to hear the issue is resolved! :)