Closed the-maldridge closed 7 months ago
fairclothjm
commented
7 months ago @the-maldridge Thanks for opening the issue! It looks like this is supported but we do not have the name field documented. I opened https://github.com/hashicorp/terraform-provider-vault/pull/2134 to update the docs
the-maldridge
commented
7 months ago Thanks for getting back so quickly on this one. I verified that setting the name parameter fixed the issue I was seeing and that I can now access the resources I expected to with terraform.
Terraform Core Version
1.7.1
Terraform Vault Provider Version
3.23.0
Vault Server Version
1.14.1
Affected Resource(s)
The provider's
auth_login_certmethod is missing theroleparameter. Without theroleparameter whatever matches first gets returned per vault's documentation.Expected Behavior
I expect to specify which role terraform should attempt to assume since there may be multiple a certificate is valid for, only one of which is suitable for terraform.
Actual Behavior
I think what's happening is that terraform is winding up with either no policy at all other than the implicit
defaultor its winding up with the highly constrained "machine" policy that all machines in my environment are allowed to assume. Since I can't specify what role it should use, I don't really know what role its actually getting.Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
Attempt to perform any action using the above provider block against vault. Observe that the role was unspecified, and therefore unpredictable as to exactly what permissions terraform wound up with. Observe that this is both insecure and against vault best practices.
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
This page which describes how vault will handle a request to authenticate without a named role.
Would you like to implement a fix?
None