Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault CLI: -mount doesn't prepend the specified mount point to a secret name #16639

Closed
vpedosyuk opened this issue Aug 9, 2022 · 6 comments · Fixed by #17679
Closed

Vault CLI: -mount doesn't prepend the specified mount point to a secret name #16639

vpedosyuk opened this issue Aug 9, 2022 · 6 comments · Fixed by #17679
Labels
bug Used to indicate a potential bug docs secret/kv

Comments

@vpedosyuk
Copy link

Describe the bug
According to the vault kv put usage docs, when a mount point is specified in -mount the next argument will be interpreted as a secret path. However, it doesn't work for me when the kv mount path is /teams/test/secret instead of default /secret.

My expectation was that the following commands would work out of the box but they didn't:

$ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

$ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
Error writing data to secret/data/my-secret: Error making API request.

URL: PUT https://<redacted>/v1/secret/data/my-secret
Code: 404. Errors:

* no handler for route "secret/data/my-secret". route entry not found.

After some time playing with mount points, ACLs, and whatnot I tried the following command:

$ vault kv put -mount=teams/test/secret teams/test/secret/my-secret passcode=my-long-passcode
================ Secret Path ================
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-08-09T09:38:29.697165567Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

And I realized that Vault CLI seems to be generating incorrect URL https://<redacted>/v1/secret/data/my-secret instead of https://<redacted>/v1/teams/test/secret/data/my-secret but works fine if the secret path is absolute.

Environment:

  • Vault Server Version (retrieve with vault status):
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.11.1
Build Date               2022-07-19T20:16:47Z
Storage Type             raft
Cluster Name             vault-cluster-1bda9549
Cluster ID               6e3df734-d997-0c5e-882f-053548968097
HA Enabled               true
HA Cluster               https://vault-0:8201
HA Mode                  standby
Active Node Address      https://<redacted>
Raft Committed Index     1272
Raft Applied Index       1272
  • Vault CLI Version (retrieve with vault version):
Vault v1.11.2 ('3a8aa12eba357ed2de3192b15c99c717afdeb2b5+CHANGES'), built 2022-07-29T09:48:47Z
  • Server Operating System/Architecture: Kubernetes (GKE)
@hsimon-hashicorp hsimon-hashicorp added docs bug Used to indicate a potential bug secret/kv labels Aug 9, 2022
@aphorise
Copy link
Contributor

aphorise commented Sep 5, 2022

It seems that -mount='first/second/last' only takes a single last portion of the path - vs using any single word like kv / kv2 which works fine.

Hey @vpedosyuk - any reason why you dont want to do away with -mount altogether and opt instead to provide the complete path like:

vault kv put teams/test/secret/my-secret passcode=my-long-passcode

@jdgoins
Copy link
Contributor

jdgoins commented Sep 27, 2022

I just experienced this bug myself which had me scratching my head for a while. People may be gravitating toward -mount because it's a recommended practice in the kv-v2 documentation.

@vpedosyuk
Copy link
Author

@aphorise yes, the complete path works well thanks. But I agree with @jdgoins and I'd keep considering this a bug because -mount seems to be a more natural way to describe a custom mount point.

@aphorise
Copy link
Contributor

I believe this issue is likely linked to:

@ccapurso ccapurso mentioned this issue Nov 1, 2022
Merged
@ccapurso
Copy link
Contributor

ccapurso commented Nov 1, 2022

@aphorise, thank you for linking the related issue and PR. The proposed logic does in fact fix this issue:

❯ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

❯ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

❯ vault kv get -mount=teams/test/secret my-secret
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
passcode    my-long-passcode

This was referenced Nov 1, 2022
Merged
Merged
@ccapurso
Copy link
Contributor

ccapurso commented Nov 1, 2022

This has been fixed and backported to the 1.11 and 1.12 release branches. The fix will be available in versions 1.11.6 and 1.12.2.

@JCL38-ORANGE JCL38-ORANGE mentioned this issue May 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug docs secret/kv
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix kv -mount flag error when mount and secret path are the same hashicorp/vault
5 participants
@aphorise @ccapurso @jdgoins @vpedosyuk @hsimon-hashicorp