Vault set should make additional checks for templates

Question

Vault set should make additional checks for templates

ThomasEcuer opened this issue 4 years ago · 3 comments

Hello 👋

Just found it the hard way:
A template containing invalid jinja is saved, thus breaking most vault-cli usages

vault set django/TOTO_TEST value='!template!username={{ vault(\"quotes_issues\").username }}'

$ vault env --path my=path -- env
[...]
jinja2.exceptions.TemplateSyntaxError: unexpected char '\\' at 18
# no var are injected
$ vault get-all

[...]
jinja2.exceptions.TemplateSyntaxError: unexpected char '\\' at 18

same with templates containing invalid references

$ vault set django/TOTO_TEST value='!template!username={{ vault("wont/find/me").username }}'
$ vault env --path my=path -- env
[...]
Error: VaultRenderTemplateError: Error while rendering template: 'wont/find/me' not found

$ vault get-all
# no traceback nor vars
Error: VaultRenderTemplateError: Error while rendering template: 'wont/find/me' not found

Should we evaluate templates before saving them into vault (and catch these kind of errors early)?
or should vault-cli not fail in those cases?

Answer 1 · 2020-10-08T14:39:58.000Z

I'm ok with preventing creation unless the template actually works or a flag is passed. Well at least preventing creation if there's a SyntaxError.
Also, I'm not sure whether vault env should fail of not when it cannot find a secret. Errors should never pass silently, and I'm wondering in which cas we would want an error in loading env vars for the app be dismissed.

Answer 2 · 2020-10-09T16:48:51.000Z

If the template has a syntax error, vault-cli set should not allow its creation (we could make an escape hatch but I'm not sure we'll need it)
If the template references secrets that cannot be read at writing time AND --verify-template is passed to set, vault-cli set should not allow its creation.

Answer 3 · 2021-12-16T11:15:08.000Z

Templated values have been removed from vault-cli.