search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

Negative version numbers for accessing previous versions of a secret #427

Closed Vladimir-csp closed 7 months ago

Vladimir-csp commented 8 months ago
SUMMARY

Please make version negative values return secret's version counted from the end.

ISSUE TYPE
COMPONENT NAME

vault_kv2_get

ADDITIONAL INFORMATION
# a secret has versions up to 9
# return latest version 9
lookup('community.hashi_vault.vault_kv2_read', 'path/to/secret', version=-1)
# return previous version 8
lookup('community.hashi_vault.vault_kv2_read', 'path/to/secret', version=-2)

(also why there is no version option for vault_read?)

briantist commented 7 months ago

Hi @Vladimir-csp , thanks for submitting this. I don't think we'll be implementing this and I'll expand more on that below.

(also why there is no version option for vault_read?)

vault_read is a generic plugin to read (GET) any path in Vault, it's not specific to any backend. You can instead manipulate the path and data sent however you wish.

Using negative version numbers is not supported because it isn't supported by Vault itself: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version

It could be synthesized by getting the secret versions first in a separate API call, calculating the relative index locally, and then requesting that version.

Building that into a client like this is troublesome, because that workflow requires additional Vault calls, and those calls require extra permissions that the caller may not have. This adds a lot of burden in terms of error handling and test cases.

The community.hashi_vault collection is mostly a wrapper around hvac, so if the hvac method supported this, we probably would too.

However, I don't think that hvac would add this functionality either. I'm currently an active maintainer on that project as well and I would decline to add this for the same reasons as above.

I think it's best to open a feature request with HashiCorp for that.

If you wanted to simulate it with Ansible and this collection, you could use vault_read to read the metadata endpoint of the secret: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-metadata

Then, you could make a call to vault_kv2_get with the version number you want, that's some index counted from the end of the versions, with some jinja2 to parse that out.

If you wanted to combine all the steps, you could create a role, or if you're comfortable with python, an action plugin, or a lookup plugin that makes the underlying calls to the existing plugins/modules,

Let me know if you have any other questions about that!

Vladimir-csp commented 7 months ago

Thanks for the explanation. I've already emulated this at role level.