Closed Vladimir-csp closed 7 months ago
Hi @Vladimir-csp , thanks for submitting this. I don't think we'll be implementing this and I'll expand more on that below.
(also why there is no version option for vault_read?)
vault_read
is a generic plugin to read (GET
) any path in Vault, it's not specific to any backend. You can instead manipulate the path and data sent however you wish.
Using negative version numbers is not supported because it isn't supported by Vault itself: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version
It could be synthesized by getting the secret versions first in a separate API call, calculating the relative index locally, and then requesting that version.
Building that into a client like this is troublesome, because that workflow requires additional Vault calls, and those calls require extra permissions that the caller may not have. This adds a lot of burden in terms of error handling and test cases.
The community.hashi_vault
collection is mostly a wrapper around hvac
, so if the hvac
method supported this, we probably would too.
However, I don't think that hvac
would add this functionality either. I'm currently an active maintainer on that project as well and I would decline to add this for the same reasons as above.
I think it's best to open a feature request with HashiCorp for that.
If you wanted to simulate it with Ansible and this collection, you could use vault_read
to read the metadata endpoint of the secret: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-metadata
Then, you could make a call to vault_kv2_get
with the version number you want, that's some index counted from the end of the versions, with some jinja2 to parse that out.
If you wanted to combine all the steps, you could create a role, or if you're comfortable with python, an action plugin, or a lookup plugin that makes the underlying calls to the existing plugins/modules,
Let me know if you have any other questions about that!
Thanks for the explanation. I've already emulated this at role level.
SUMMARY
Please make
version
negative values return secret's version counted from the end.ISSUE TYPE
COMPONENT NAME
vault_kv2_get
ADDITIONAL INFORMATION
(also why there is no
version
option for vault_read?)