[BUG] Authentication fails with namespace

Question

[BUG] Authentication fails with namespace

Closed this issue 5 months ago · 3 comments

skulbeda-clgx commented 6 months ago

Vault server version

v1.16.2

vault-action version

v3.0.0

Describe the bug

Error on authentication with namespace input.
Our Vault server uses namespaces. Authentication to our server should always go to the root namespace. In our case we are using approle authentication. Once authenticated the secret can be retrieved from one of the available namespaces. Without namespace input authentication is successful, but the retrieval fails. With namespace input the authentication fails and prevents retrieval.

To Reproduce

      uses: hashicorp/vault-action@v3
      with:
        url: https://my-vault-server:8200
        method: approle
        roleId: aaa-bbb-ccc-ddd
        secretId: qqq-www-eee-rrr
        namespace: my-env
        secrets: |
          secret/data/app app_id | app_id

Expected behavior

Namespace for authentication can be different from the namespace for the secret retrieval

Log Output

Run hashicorp/vault-action@v3
  with:
    url: https://my-vault-server:8200/
    method: approle
    roleId: ***
    secretId: ***
    namespace: my-env
    secrets: secret/data/app app_id | app_id
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    exportToken: false
    outputToken: false
    tlsSkipVerify: false
    jwtTtl: 3600
    ignoreNotFound: false
::group::Get Vault Secrets
Get Vault Secrets
  ##[debug]Retrieving Vault Token from v1/auth/approle/login endpoint
  ::endgroup::
Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
##[debug]Node Action run completed with exit code 1
##[debug]Set output errorMessage = failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
##[debug]Finishing: Import Secrets

Answer 1 · 2024-07-29T20:19:54.000Z

@skulbeda-clgx Hello, I am sorry you are having trouble. Have you tried adding the namespace to the path, for example <NAMESPACE>/secret/data/app

uses: hashicorp/vault-action@v3
with:
  url: https://my-vault-server:8200
  method: approle
  roleId: aaa-bbb-ccc-ddd
  secretId: qqq-www-eee-rrr
  namespace: my-env
  secrets: |
    namespace-1/secret/data/app app_id | app_id

Answer 2 · 2024-07-31T18:36:52.000Z

@fairclothjm thanks for the suggested workaround. It allows me to retrieve the secret from the namespace.

It would help to update the docs with this example.

Answer 3 · 2024-07-31T19:11:40.000Z

@skulbeda-clgx Happy to help! Have opened a PR to update the README