Plugin cannot connect to Vault

[ghost]

Hey,

I cannot make this plugin to connect to Vault.

Pressing a "Test Connection" prompts an error, that client token is missing.

Running a build gives the same output.

Failed to fetch HashiCorp Vault wrapped token: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token: org.jetbrains.teamcity.vault.server.VaultConnector$ConnectionException: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token, see teamcity-server.log for details`

Doing an API call curl --request POST --data @approle-login.json https://my_vault_address:8200/v1/auth/approle/login

I am able to login with the following json

{
    "role_id": "bc616551-27e4-c747-6817-0b57efc6c5b3",
    "secret_id": "db69f043-7588-95d0-ca1e-3eae912b057b"
}

I get the following reply in JSON

{
    "request_id": "e19a51ec-c06a-394e-5c3e-e9c2390a6d25",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": null,
    "wrap_info": null,
    "warnings": null,
    "auth": {
        "client_token": "734c0d87-491f-07cb-c1e7-03adea9491fd",
        "accessor": "6fb6d92f-e6dc-05f2-3794-512b5b7add9e",
        "policies": [
            "policy_1",
            "default",
            "policy_2"
        ],
        "token_policies": [
            "policy_1",
            "default",
            "policy_2"
        ],
        "metadata": {
            "app": "teamcity",
            "role_name": "teamcity"
        },
        "lease_duration": 600,
        "renewable": true,
        "entity_id": "3d5eed9e-4f23-ebc5-4366-6ad3fcbad804"
    }
}

[VladRassokhin]

Which versions of Vault and TeamCity plugin do you use?

[ghost]

Hello, Vault 0.10.4, plugin version 0.1.60

[ghost]

I've looked through your code and found the issue, I think documentation could be updated. Anyway, thanks for your time!

[VladRassokhin]

What was the issue? And what should be updated in docs?

[ghost]

AppRole auth enpoint path iI thought it's an approle name, because of wording endpoint, but it's not. It's just a var in uri auth/$this_var/login. A line of code from VaultConnector.kt

 val uri = template.uriTemplateHandler.expand("auth/{mount}/login", options.path)

This is useless and confusing, because it is created when you initiate vault auth enable approle. Like I've added my approle name teamcity and actual login uri was http://vault:8200/v1/auth/teamcity/login.

And documentation doesn't even have this Input field in here https://blog.jetbrains.com/teamcity/2017/09/vault/

[ASethi93]

I have got the same issue the json file looks like this when i curl https://vault:8200/v1/auth/approle/login

{ "request_id": "03e4549f-e780-9b79-10a9-53b152cad91f", "lease_id": "", "renewable": false, "lease_duration": 0, "data": null, "wrap_info": null, "warnings": null, "auth": { "client_token": "s.Q2FctID6mKkt50x6Ak31", "accessor": "odc6E9NtkZtdcphFBIKrq", "policies": [ "default", "teamcity" ], "token_policies": [ "default", "teamcity" ], "metadata": { "role_name": "teamcity" }, "lease_duration": 3600, "renewable": true, "entity_id": "9cb54cf8-76b9-8cd-f0dc299bb12c", "token_type": "service", "orphan": true } }