search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

`vault_token_create` using `wrap_ttl` and `role_name` returns a token that is not wrapped #358

Open blmhemu opened 1 year ago

blmhemu commented 1 year ago
SUMMARY

The template {{ lookup('community.hashi_vault.vault_token_create', url='https://100.72.58.16:8200/', wrap_ttl='1m', role_name='cluster-pki') }} does NOT create a wrapped token - just creates a normal token.

The equivalent cli command works fine with the same token (as above) vault token create -wrap-ttl=1m -role=cluster-pki and creates a wrapped token.

ISSUE TYPE
COMPONENT NAME

community.hashi_vault.vault_token_create

ANSIBLE VERSION
ansible [core 2.14.3]
COLLECTION VERSION
4.1.0
OS / ENVIRONMENT

MacOS

STEPS TO REPRODUCE
{{ lookup('community.hashi_vault.vault_token_create', url='https://100.72.58.16:8200/', wrap_ttl='1m', role_name='cluster-pki' ) }}
EXPECTED RESULTS

It creates a wrapped token.

ACTUAL RESULTS

It creates a normal token (not wrapped).

briantist commented 1 year ago

Hi @blmhemu thanks for reporting this! It looks like this is a bug in the hvac library instead, and I've opened an issue for it here:

briantist commented 1 year ago

@blmhemu I have a PR up in hvac that should fix this:

In the meantime if you want to see if that fixes it with ansible as well, you can try installing hvac from my branch:

pip install https://github.com/briantist/hvac/archive/auth.token.create/wrapped-role-based.tar.gz

This should work with no changes to Ansible/this collection.