hashicorp/vault-action

[BUG] The Vault action fails if the secret key contains a dot when using wildcards

hazerlin-houzz opened this issue · 4 comments

hazerlin-houzz commented

Vault server version

v1.8.2 enterprise

vault-action version

v2

Describe the bug

The Vault Action fails if any secret key contains a dot when using wildcards
Example: addvertise_link.json

To Reproduce

Fetch all secrets in certain folder

- name: Get Secrets from Vault
        uses: hashicorp/vault-action@v2
        id: import-secrets
        with:
          url: "https://vault...."
          method: kubernetes
          role: role
          path: path
          kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
          tlsSkipVerify: false
          secrets: |
            folder/data/key1/key2/key3/key4 * | CONFIG_;

But if there is a secret include dot when using wildcards, such as addvertise_link.json. The workflow will fail.

Error message
Error: Unable to retrieve result for data.data."*". No match data was found. Double check your Key or Selector.

Expected behavior

Get all secrets in specific folder

hazerlin-houzz commented

Similar with this error #504, but with wildcard.

fairclothjm commented

Thanks for reporting @hazerlin-houzz ! You can test my fix by pulling in my branch

- name: Get Secrets from Vault
        uses: hashicorp/vault-action@589f91e020c12fa0bb052a7c83b31ef6c60c027d
        ...

But please be aware that this will bump your action to v3. I see you are currently on v2.

hazerlin-houzz commented

@fairclothjm thanks for quick response. After I tested with my case, but still got the following error.

Run hashicorp/vault-action@VAULT-26014/wildcard-for-dot-fields-fix
node:internal/modules/cjs/loader:1048
  const err = new Error(message);
              ^

Error: Cannot find module 'jsonata'
Require stack:
- /home/runner/_work/_actions/hashicorp/vault-action/VAULT-26014/wildcard-for-dot-fields-fix/dist/index.js
    at Module._resolveFilename (node:internal/modules/cjs/loader:1048:15)
    at Module._load (node:internal/modules/cjs/loader:901:27)
    at Module.require (node:internal/modules/cjs/loader:1115:19)
    at require (node:internal/modules/helpers:130:18)
    at file:///home/runner/_work/_actions/hashicorp/vault-action/VAULT-26014/wildcard-for-dot-fields-fix/dist/index.js:1[42](https://github.com/Houzz/c2/actions/runs/8682786252/job/23807820689#step:2:43)70:17
    at file:///home/runner/_work/_actions/hashicorp/vault-action/VAULT-26014/wildcard-for-dot-fields-fix/dist/index.js:1[46](https://github.com/Houzz/c2/actions/runs/8682786252/job/23807820689#step:2:47)82:3
    at ModuleJob.run (node:internal/modules/esm/module_job:217:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:316:24)
    at async loadESM (node:internal/process/esm_loader:34:7)
    at async handleMainPromise (node:internal/modules/run_main:66:12) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/runner/_work/_actions/hashicorp/vault-action/VAULT-26014/wildcard-for-dot-fields-fix/dist/index.js'
  ]
}

Node.js v20.8.1

the key value in my test case is
key:
key.json
value:
{ "test": { "key1": "123" }, "test2": { "key2": "456" } }

fairclothjm commented

@hazerlin-houzz Thanks for reporting that error. That was related to a different change we made. It should be fixed now. You can try again using the main branch as your ref since both fixes are merged now. Thanks!

  • 👍1