search

datastax / vault-plugin-secrets-datastax-astra

HashiCorp Vault Plugin for Datstax Astra
Apache License 2.0
8 stars 6 forks source link

Issue configuring roles #27

Closed olafz closed 1 year ago

olafz commented 1 year ago

I'm having trouble configuring roles. After a vault write astra/role, when I read back the actual role, the role_name always shows as n/a. I'm using plugin version 1.0.1 and Vault version 1.13.3. Both the Organization ID and Role ID in the example below have been anonymized.

Configure the Astra instance:

vault write astra/config org_id="XXX-3f5c6e2f4658" \
  astra_token="..." \
  url="https://api.astra.datastax.com" logical_name="demo" caller_mode="sidecar"

Success! Data written to: astra/config

Configure a role with existing role_id:

vault write astra/role role_name="R_W_User" role_id="XXX-c6a2fe2dab50" org_id="XXX-3f5c6e2f4658"

Success! Data written to: astra/role

Read back what has been configured:

vault read astra/role role_id="XXX-c6a2fe2dab50" org_id="XXX-3f5c6e2f4658"

Key          Value
---          -----
org_id       XXX-3f5c6e2f4658
role_id      XXX-c6a2fe2dab50
role_name    n/a

Notice the n/a role name. What I notice when I list the configured roles, is that the key seems to missing "something":

vault list astra/roles

Keys
----
XXX-3f5c6e2f4658-

Please let me know if you need any additional information to help figuring out the cause of this issue.

olafz commented 1 year ago

Ah, I found the solution myself after looking in the source of the plugin. The command

vault write astra/role role_name="R_W_User" role_id="XXX-c6a2fe2dab50" org_id="XXX-3f5c6e2f4658"

should be replaced with

vault write astra/role role="R_W_User" role_id="XXX-c6a2fe2dab50" org_id="XXX-3f5c6e2f4658"

Note the difference between role_name and role. This is an error in the documentation in some places.