hashi_vault - Can't login using username/password (userpass auth method)

[joao-p-marques]

SUMMARY

I can use the lookup plugin to login with a user token, but I can't login using a username and password.

ISSUE TYPE

• Bug Report

COMPONENT NAME

hashi_vault lookup plugin, possibly with the integration with the hvac library.

ANSIBLE VERSION

ansible 2.10.2
  config file = None
  configured module search path = ['/home/jota/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jota/Documents/Tecnativa/infra/ci-templates/.venv/lib/python3.9/site-packages/ansible
  executable location = /home/jota/Documents/Tecnativa/infra/ci-templates/.venv/bin/ansible
  python version = 3.9.2 (default, Feb 20 2021, 00:00:00) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)]

CONFIGURATION

(empty)

OS / ENVIRONMENT

Fedora 33, running a playbook against localhost (local connection)

STEPS TO REPRODUCE

I created a simple playbook just to test this case:

- name: Test
  hosts: localhost
  connection: local
  vars:
    vault_username: MY_USER_NAME
    vault_password: MY_USER_PASSWORD
    vault_api: URL_TO_MY_SERVER
    vault_token: MY_USER_TOKEN
  tasks:
    - ansible.builtin.debug:
        msg:
          "{{ lookup('community.hashi_vault.hashi_vault',
          'secret=secret/data/SOME-SECRET/SUB-SECRET', token=vault_token, url=vault_api)
          }}"
    - ansible.builtin.debug:
        msg:
          "{{ lookup('community.hashi_vault.hashi_vault',
          'secret=secret/data/SOME-SECRET/SUB-SECRET', auth_method='userpass',
          username=vault_username, password=vault_password, url=vault_api) }}"

EXPECTED RESULTS

Both cases should work (retrieve secrets with a token and with a username/password pair)

ACTUAL RESULTS

The first command (with a token) works (proving my user has access to said secret and that its token is valid) The second command does not work, giving the following error:

TASK [ansible.builtin.debug] *********************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.hashi_vault'. Error was a <class 'hvac.exceptions.InvalidRequest'>, original message: missing client token, on get URL_TO_MY_SERVER/v1/secret/data/SOME-SECRET/SUB-SECRET"}

cc @Yajo

[briantist]

Yikes.. this is unfortunately another instance of https://github.com/hvac/hvac/issues/644#issuecomment-777272158 and another case where our tests are severely lacking (there's no tests at all for userpass auth it seems 🤦). The fix is going to be easy, I'll look at getting out another bugfix release soon.

Unfortunately I'll probably have to delay tests to get that out more quickly, so I'll create another issue to track that.

Thanks for reporting @joao-p-marques !

[briantist]

Looking through the hvac code, I can also see that this would have worked in the plugin using an older version of hvac, so if you want a very quick fix and don't mind downgrading, you can try that, I think any hvac version lower than 0.9.6 would do it (you should see a warning from this plugin in ansible about using a deprecated auth method if it's using the old one).

[joao-p-marques]

Ok, thanks for the pointer @briantist

I will try that for now and upgrade as soon as the fix is merged and released :+1:

[briantist]

Thank you @joao-p-marques , if you could confirm that works I would really appreciate it 🙏 , I don't have a userpass method set up anywhere to test right now

[joao-p-marques]

I am afraid I won't be able to test this today, but tomorrow first thing I will and report back here :+1:

Thanks a lot for the help!

[joao-p-marques]

@briantist I can confirm that it works as is with hvac at version 0.9.5 :+1:

Also, I tried updating hvac back to the latest version (0.10.8) and applying the fix from #68 locally and it also works :smiley:

[briantist]

@joao-p-marques 😍that's perfect, I was hoping you'd be able to try the PR too, thank you so much! I'm going to try to get this released while it's still business hours in Portugal, maybe you'll be able to update before the end of (your) day 🤞

[joao-p-marques]

@joao-p-marques :heart_eyes: that's perfect, I was hoping you'd be able to try the PR too, thank you so much! I'm going to try to get this released while it's still business hours in Portugal, maybe you'll be able to update before the end of (your) day :crossed_fingers:

Thanks a lot @briantist

Right now we are only using this in development and testing, so the local fix gets me going for now, but thanks for the quick response :+1:

[briantist]

Thank you so much for your help @joao-p-marques , version 1.1.3 is released:

• https://github.com/ansible-collections/community.hashi_vault/releases/tag/1.1.3

[joao-p-marques]

Nice, thank your for the work and quick response!