search

hashicorp / vault-action

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.
MIT License
428 stars 135 forks source link

[BUG] JWT method adds kubernetesTokenPath when using Kubernetes-hosted runner #244

Open dianareider opened 3 years ago

dianareider commented 3 years ago

Describe the bug I'm using a JWT generated from Azure AD (via Service Principal) to authenticate to Vault. When using vault-action 2.3.0 on a self-hosted Ubuntu runner on Kubernetes (I believe AKS), I receive the following message: "Error: not supported argument." This appears to be caused by kubernetesTokenPath automatically being injected as a parameter, even though it's not in the code.

Log snippet:

Run hashicorp/vault-action@v2.3.0
  with:
    url: https://myvault.com
    method: jwt
    role: myrole
    jwtPrivateKey: ***
    secrets: secret/path/mysecret key
    exportToken: true
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    tlsSkipVerify: false
    jwtTtl: 3600
  env:
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
::group::Get Vault Secrets
Get Vault Secrets
  ::endgroup::
Error: not supported argument

To Reproduce

# File: .github/workflows/workflow.yml

on: [push]

name: AzureLoginSample

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: azure/login@v1
      with:
          creds: '{"clientId": "${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
    - run: |
        az account show

    - name: Azure CLI script file
      uses: azure/CLI@v1
      id: azure_auth
      with:
        azcliversion: 2.0.72
        inlineScript: |
          JWT=$(az account get-access-token --query 'accessToken' -o tsv)
          echo "::add-mask::$JWT"
          echo "::set-output name=JWT::$JWT"

    - name: Import Secrets
      uses: hashicorp/vault-action@v2.3.0
      with:
        url: https://myvault.com
        method: jwt
        role: myrole
        jwtPrivateKey: ${{ steps.azure_auth.outputs.JWT }}
        secrets: secret/mypath/mysecret mykey
        exportToken: true

Expected behavior Kubernetes token should not be included when attempting to use JWT authentication method.

Log Output

##[debug]Starting: Set up job
Current runner version: '2.280.3'
Operating System
Virtual Environment
Virtual Environment Provisioner
GITHUB_TOKEN Permissions
##[debug]Primary repository: Cloud-3-0/vault-azure-auth
Prepare workflow directory
##[debug]Creating pipeline directory: '/home/runner/work/vault-azure-auth'
##[debug]Creating workspace directory: '/home/runner/work/vault-azure-auth/vault-azure-auth'
##[debug]Update context data
##[debug]Evaluating job-level environment variables
##[debug]Evaluating job container
##[debug]Evaluating job service containers
##[debug]Evaluating job defaults
Prepare all required actions
Getting action download info
Download action repository 'azure/login@v1' (SHA:77f1b2e3fb80c0e8645114159d17008b8a2e475a)
##[debug]Download 'https://api.github.com/repos/Azure/login/tarball/77f1b2e3fb80c0e8645114159d17008b8a2e475a' to '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz'
##[debug]Unwrap 'Azure-login-77f1b2e' to '/home/runner/work/_actions/azure/login/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/login/v1'.
Download action repository 'azure/CLI@v1' (SHA:4b58c946a0f48d82cc2b6e31c0d15a6604859554)
##[debug]Download 'https://api.github.com/repos/Azure/cli/tarball/4b58c946a0f48d82cc2b6e31c0d15a6604859554' to '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz'
##[debug]Unwrap 'Azure-cli-4b58c94' to '/home/runner/work/_actions/azure/CLI/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/CLI/v1'.
Download action repository 'hashicorp/vault-action@v2.3.0' (SHA:0451f06f9f705768363122da079f46746e31bfe4)
##[debug]Download 'https://api.github.com/repos/hashicorp/vault-action/tarball/0451f06f9f705768363122da079f46746e31bfe4' to '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz'
##[debug]Unwrap 'hashicorp-vault-action-0451f06' to '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'
##[debug]Archive '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz' has been unzipped into '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/login/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/CLI/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0/action.yml'.
##[debug]Set step '__azure_login' display name to: 'Run azure/login@v1'
##[debug]Set step '__run' display name to: 'Run az account show'
##[debug]Set step 'azure_auth' display name to: 'Azure CLI script file'
##[debug]Set step '__hashicorp_vault-action' display name to: 'Import Secrets'
##[debug]Collect running processes for tracking orphan processes.
##[debug]Finishing: Set up job
14s
##[debug]Evaluating condition for step: 'Run azure/login@v1'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run azure/login@v1
##[debug]Loading inputs
##[debug]Evaluating: format('{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}', secrets.ARM_CLIENT_ID, secrets.ARM_CLIENT_SECRET, secrets.ARM_SUBSCRIPTION_ID, secrets.ARM_TENANT_ID)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_SECRET'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_SUBSCRIPTION_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_TENANT_ID'
##[debug]..=> '***'
##[debug]=> '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Result: '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Loading env
Run azure/login@v1
##[debug]az cli version used:
##[debug]azure-cli                         2.27.1
##[debug]
##[debug]core                              2.27.1
##[debug]telemetry                          1.0.6
##[debug]
##[debug]Extensions:
##[debug]azure-devops                      0.20.0
##[debug]
##[debug]Python location '/opt/az/bin/python3'
##[debug]Extensions directory '/opt/az/azcliextensions'
##[debug]
##[debug]Python (Linux) 3.6.10 (default, Aug 11 2021, 02:41:08) 
##[debug][GCC 9.3.0]
##[debug]
##[debug]Legal docs and information: aka.ms/AzureCliLegal
##[debug]
##[debug]
##[debug]Your CLI is up-to-date.
##[debug]
::add-mask::***
##[debug]Cannot find key: $.resourceManagerEndpointUrl
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.
##[debug]Node Action run completed with exit code 0
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZUREPS_HOST_ENVIRONMENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Run azure/login@v1
0s
##[debug]Evaluating condition for step: 'Run az account show'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run az account show
##[debug]Loading inputs
##[debug]Loading env
Run az account show
##[debug]/usr/bin/bash -e /home/runner/work/_temp/fb09b562-9d1d-443f-b223-d5dfac58ec9a.sh
{
  "environmentName": "AzureCloud",
  "homeTenantId": "***",
  "id": "***",
  "isDefault": true,
  "managedByTenants": [],
  "name": "my-azure-subscription",
  "state": "Enabled",
  "tenantId": "***",
  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }
}
##[debug]Finishing: Run az account show
26s
##[debug]Evaluating condition for step: 'Azure CLI script file'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Azure CLI script file
##[debug]Loading inputs
##[debug]Loading env
Run azure/CLI@v1
Starting script execution via docker image mcr.microsoft.com/azure-cli:2.0.72
::add-mask::***
::set-output name=JWT::***
##[debug]steps.azure_auth.outputs.JWT='***'

az script ran successfully.
cleaning up container...
MICROSOFT_AZURE_CLI_1629437136645_CONTAINER

##[debug]Node Action run completed with exit code 0
##[debug]Finishing: Azure CLI script file
0s
##[debug]Evaluating condition for step: 'Import Secrets'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Import Secrets
##[debug]Loading inputs
##[debug]Evaluating: steps.azure_auth.outputs.JWT
##[debug]Evaluating Index:
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating steps:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'azure_auth'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'outputs'
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'JWT'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run hashicorp/vault-action@v2.3.0
  with:
    url: https://myvault.com
    method: jwt
    role: myrole
    jwtPrivateKey: ***
    secrets: secret/mypath/mysecret mykey
    exportToken: true
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    tlsSkipVerify: false
    jwtTtl: 3600
  env:
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
::group::Get Vault Secrets
Get Vault Secrets
  ::endgroup::
Error: not supported argument
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Import Secrets
0s
##[debug]Starting: Complete job
Cleaning up orphan processes
##[debug]Finishing: Complete job

Additional context If there are other suggested ways of achieving the same results, I am open. My end goal will actually be to pass the vault token to TFE, but I am testing secrets retrieval while I'm at it (and see another open enhancement request for being able to get token only w/o secrets retrieval).

claas-fridtjof-lisowski commented 2 years ago

We have the same issue with Azure Service Principal and JWT token authentication. My workaround is to use plain vault cli to login and get the token/secrets.