Vault set should make additional checks for templates
ThomasEcuer opened this issue ยท 3 comments
Hello
Just found it the hard way:
A template containing invalid jinja is saved, thus breaking most vault-cli usages
vault set django/TOTO_TEST value='!template!username={{ vault(\"quotes_issues\").username }}'
$ vault env --path my=path -- env
[...]
jinja2.exceptions.TemplateSyntaxError: unexpected char '\\' at 18
# no var are injected
$ vault get-all
[...]
jinja2.exceptions.TemplateSyntaxError: unexpected char '\\' at 18
same with templates containing invalid references
$ vault set django/TOTO_TEST value='!template!username={{ vault("wont/find/me").username }}'
$ vault env --path my=path -- env
[...]
Error: VaultRenderTemplateError: Error while rendering template: 'wont/find/me' not found
$ vault get-all
# no traceback nor vars
Error: VaultRenderTemplateError: Error while rendering template: 'wont/find/me' not found
Should we evaluate templates before saving them into vault (and catch these kind of errors early)?
or should vault-cli not fail in those cases?
I'm ok with preventing creation unless the template actually works or a flag is passed. Well at least preventing creation if there's a SyntaxError.
Also, I'm not sure whether vault env should fail of not when it cannot find a secret. Errors should never pass silently, and I'm wondering in which cas we would want an error in loading env vars for the app be dismissed.
- If the template has a syntax error,
vault-cli set
should not allow its creation (we could make an escape hatch but I'm not sure we'll need it) - If the template references secrets that cannot be read at writing time AND
--verify-template
is passed toset
,vault-cli set
should not allow its creation.
Templated values have been removed from vault-cli.