Open danielskowronski opened 7 months ago
The logic in https://github.com/hashicorp/terraform-provider-vault/blob/main/internal/provider/meta.go#L268 seems to have some bug. Likely, the cloned client is left in an unclean state after timeout from TF (registered handler for /oidc/callback
) and there's some missing check to see if it can be re-used so an unsafe authLogin.Login(clone)
is issued.
Or it can be caused by the library used, https://github.com/hashicorp/vault-plugin-auth-jwt/pull/115 seems to confirm this behaviour.
@danielskowronski Hi, thanks for reporting! I believe this does need to be fixed in vault-plugin-auth-jwt. We will see if we can get this resolved.
Terraform Core Version
1.7.0
Terraform Vault Provider Version
3.24.0
Vault Server Version
1.13.3
Affected Resource(s)
At least:
vault_kv_secret_v2
Expected Behavior
When using OIDC to login and reading more than one
vault_kv_secret_v2
, the provider should gracefully time out on waiting to obtain a token.Actual Behavior
It crashes in a nasty way.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
auth_login_oidc
vault_kv_secret_v2
. If you use just one, it does work, so it's likely some race condition.terraform apply
orterraform plan
Debug Output
No response
Panic Output
No response
Important Factoids
Users are very likely to issue
terraform apply
and miss the fact they had a new browser tab opened - it can mix up with the time they opened a new tab or for larger deployments they can just go to grab a coffee.References
No response
Would you like to implement a fix?
None