Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Authentication fails with namespace #559

Closed
skulbeda-clgx opened this issue Jul 25, 2024 · 3 comments · Fixed by #562
Closed

[BUG] Authentication fails with namespace #559

skulbeda-clgx opened this issue Jul 25, 2024 · 3 comments · Fixed by #562
Labels
bug Something isn't working

Comments

@skulbeda-clgx
Copy link

Vault server version

v1.16.2

vault-action version

v3.0.0

Describe the bug

Error on authentication with namespace input.
Our Vault server uses namespaces. Authentication to our server should always go to the root namespace. In our case we are using approle authentication. Once authenticated the secret can be retrieved from one of the available namespaces. Without namespace input authentication is successful, but the retrieval fails. With namespace input the authentication fails and prevents retrieval.

To Reproduce

      uses: hashicorp/vault-action@v3
      with:
        url: https://my-vault-server:8200
        method: approle
        roleId: aaa-bbb-ccc-ddd
        secretId: qqq-www-eee-rrr
        namespace: my-env
        secrets: |
          secret/data/app app_id | app_id

Expected behavior

Namespace for authentication can be different from the namespace for the secret retrieval

Log Output

Run hashicorp/vault-action@v3
  with:
    url: https://my-vault-server:8200/
    method: approle
    roleId: ***
    secretId: ***
    namespace: my-env
    secrets: secret/data/app app_id | app_id
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    exportToken: false
    outputToken: false
    tlsSkipVerify: false
    jwtTtl: 3600
    ignoreNotFound: false
::group::Get Vault Secrets
Get Vault Secrets
  ##[debug]Retrieving Vault Token from v1/auth/approle/login endpoint
  ::endgroup::
Error: failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
##[debug]Node Action run completed with exit code 1
##[debug]Set output errorMessage = failed to retrieve vault token. code: ERR_NON_2XX_3XX_RESPONSE, message: Response code 403 (Forbidden), vaultResponse: {"errors":["permission denied"]}
##[debug]Finishing: Import Secrets
@skulbeda-clgx skulbeda-clgx added the bug Something isn't working label Jul 25, 2024
@fairclothjm
Copy link
Contributor

@skulbeda-clgx Hello, I am sorry you are having trouble. Have you tried adding the namespace to the path, for example <NAMESPACE>/secret/data/app

uses: hashicorp/vault-action@v3
with:
  url: https://my-vault-server:8200
  method: approle
  roleId: aaa-bbb-ccc-ddd
  secretId: qqq-www-eee-rrr
  namespace: my-env
  secrets: |
    namespace-1/secret/data/app app_id | app_id

@skulbeda-clgx
Copy link
Author

@fairclothjm thanks for the suggested workaround. It allows me to retrieve the secret from the namespace.

It would help to update the docs with this example.

@fairclothjm fairclothjm mentioned this issue Jul 31, 2024
Merged
@fairclothjm
Copy link
Contributor

@skulbeda-clgx Happy to help! Have opened a PR to update the README

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: add namespace example to readme hashicorp/vault-action
2 participants
@fairclothjm @skulbeda-clgx