"absent" AppRole fails without "policies" field

[skovorodkin]

aomi requires AppRole's policiesto be defined even if its state is absent:

approles:
  - name: app
    # policies: [app]
    state: absent

Error:

$ docker run -e VAULT_ADDR=$VAULT_ADDR -v $(pwd)/aomi:/aomi -v $(pwd)/.vault-token:/.vault-token autodesk/aomi:1.6.1 diff --secretfile /aomi/Secretfile --policies /aomi/policies --verbose
Connecting to http://10.0.0.1:8200
Token derived from /.vault-token
Unexpected error: exceptions.KeyError
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/cli.py", line 439, in main
    action_runner(parser, args)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/cli.py", line 414, in action_runner
    aomi.seed_action.diff(client.connect(args), args)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/seed_action.py", line 117, in diff
    ctx = Context.load(get_secretfile(opt), opt) \
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/model/context.py", line 124, in load
    ctx.add(mod(resource, opt))
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/model/auth.py", line 185, in __init__
    'policies': ','.join(obj['policies'])
KeyError: 'policies'

The error happens in AppRole.__init__. I'm not sure what's the correct way to fix it (if it has to be fixed at all), but seems like Policy.__init__ had the same issue and now it inits other fields only if self.present. Perhaps the same could be done in AppRole.__init__ right before role_obj is created.

[skovorodkin]

Hm... aomi is not able to delete AppRole until https://github.com/ianunruh/hvac/pull/112 is merged:

$ docker run -e VAULT_ADDR=$VAULT_ADDR -v $(pwd)/aomi:/aomi -v $(pwd)/.vault-token:/.vault-token autodesk/aomi:1.6.1 seed --secretfile /aomi/Secretfile --policies /aomi/policies --verbose
Connecting to http://10.0.0.1:8200
Token derived from /.vault-token
approle backend already mounted on approle
generic backend already mounted on secret
Updating data in AppRole auth/approle/role/gitlab
Removing data from AppRole auth/approle/role/go-app-in-docker
Unexpected error: exceptions.AttributeError
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/cli.py", line 439, in main
    action_runner(parser, args)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/cli.py", line 405, in action_runner
    aomi.seed_action.seed(client.connect(args), args)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/seed_action.py", line 38, in seed
    .sync(vault_client, opt)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/model/context.py", line 230, in sync
    resource.sync(vault_client)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/model/resource.py", line 196, in sync
    self.delete(vault_client)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/vault.py", line 79, in func_wrapper
    return func(self, vault_client)
  File "/usr/local/lib/python2.7/site-packages/aomi-1.6.1-py2.7.egg/aomi/model/auth.py", line 229, in delete
    client.delete_role(self.app_name)
AttributeError: 'Client' object has no attribute 'delete_role'

It looks like hvac project is not maintained anymore https://github.com/ianunruh/hvac/pull/124.

[otakup0pe]

Yeah I've been afraid I might have to start maintaining a fork, or just use "raw" access to Vault (i.e. not mediated by another API).

[otakup0pe]

Oh this is definitely a bug. TY.

[otakup0pe]

Hmm. Looks like I'm a maintainer of the hvac repo now. I'll probably spend a bit getting that all merged and cleaned up and then look into getting some of it's functionality back into aomi.