hashicorp/vault-action

[FEAT] Add Option: `ignoreKeyNotFound`

Opened this issue · 3 comments

xsfa commented

The Problem

When programmatically passing in vault keys, if the key does not exist I would like the option for the resulting value to be a null or default value.

Proposed Solution

- name: Import Secrets
  uses: actions/vault-action@v3.0.0
  with:
    url: ${{ env.url }}
    method: approle
    roleId: ${{ env.role_id }}
    secretId: ${{ env.secret_id }}
    caCertificate: ${{ secrets.vault_ca_cert }}
    ignoreKeyNotFound: true # ***
    defaultValue: null # *** or 'string', defaults to null
    secrets: |
      ${{ env.secret_path }} credentials.${{ env.PREFIX }}.username | username ;
      ${{ env.secret_path }} credentials.${{ env.PREFIX }}.password | password ;

Explored Alternatives

  • Setting a default value to all possible keys IN VAULT
  • Conditionally calling vault-action

Both approaches are messy/hacky and not scalable

xsfa commented

I looked through the code and have an idea on how to implement this, will try to open a PR in the coming days.

@xsfa Are you aware of the ignoreNotFound option? Does this solve the issue for you?

xsfa commented

@xsfa Are you aware of the ignoreNotFound option? Does this solve the issue for you?

@fairclothjm I tried it, I believe this option only handles cases where the secret is not found, not when a key within the secret is not found.