search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

`token` must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'> #289

Closed briantist closed 2 years ago

briantist commented 2 years ago
SUMMARY

Seeing some failures in daily CI today in devel:

fatal: [testhost]: FAILED! => { "msg": "The conditional check 'result == {}' failed. The error was: An unhandled exception occurred while templating '{{ lookup('community.hashi_vault.vault_write', 'cubbyhole/secret1', **kwargs) }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_write'. Error was a <class 'requests.exceptions.InvalidHeader'>, original message: Header part ('hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E') from {'X-Vault-Token': 'hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E'} must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'>. Header part ('hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E') from {'X-Vault-Token': 'hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E'} must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'>" }

It looks like something has changed causing the result to be considered "unsafe" from various lookups.

ISSUE TYPE
COMPONENT NAME

auth_token lookup_hashi_vault lookup_vault_kv1_get lookup_vault_kv2_get lookup_vault_login lookup_vault_read lookup_vault_token_create lookup_vault_write

ANSIBLE VERSION

devel

COLLECTION VERSION

current

briantist commented 2 years ago

It appears that this is due to a change in requests unfortunately:

This probably means the token returned as always being marked as unsafe anyway, or perhaps that happened after the token changes in 1.10, but either way, requests was turning them back into regular strings.

It seems they are reluctant to change this behavior back despite it being breaking; even if gets reverted it will probably happen again in another release.

Will have to see what we can do on our side.

briantist commented 2 years ago

The workaround I've been working on is to internally ensure that tokens are always strings when we pass them to the client. Hope to have a PR up for this soon.

fansari commented 2 months ago

I came across the same issue. The latest version I can install with pip which does not run into this bug is this:

pip install ansible==6.7.0
briantist commented 2 months ago

@fansari this should have been fixed in #291 in collection version 3.2.0. When you run ansible-galaxy collection list what version of this collection do you see?