Open karlhungus opened 1 month ago
This appears on latest vault as well:
❯ vault -version
Vault v1.17.2 (2af5655e364f697a15b1dc2db2c3f85f6ef949f2), built 2024-07-05T15:19:12Z
➜ vault login -wrap-ttl=15m -tls-skip-verify -method=oidc -token-only
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
panic: interface conversion: interface {} is nil, not string
goroutine 1 [running]:
github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc0034e1a20, {0x7ff7b8f93ca9, 0xb}, {0xc002be6c40, 0x5}, {0xfb201b5, 0x4}, {0xfb1ff01, 0x4}, {0xfb2edfe, ...})
/home/runner/go/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.21.0/cli.go:234 +0x47d
github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0xc0034e1a20?, 0xc0034e1a20, 0xc0037b0300)
/home/runner/go/pkg/mod/github.com/hashicorp/vault-plugin-auth-jwt@v0.21.0/cli.go:118 +0x4a7
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc003786690, {0xc0001e21e0, 0x5, 0x5})
/home/runner/work/vault/vault/command/login.go:228 +0x5b7
github.com/hashicorp/cli.(*CLI).Run(0xc003788dc0)
/home/runner/go/pkg/mod/github.com/hashicorp/cli@v1.1.6/cli.go:265 +0x5b8
github.com/hashicorp/vault/command.RunCustom({0xc0001e21d0?, 0x6?, 0x6?}, 0xc0000061c0?)
/home/runner/work/vault/vault/command/main.go:243 +0x9a6
github.com/hashicorp/vault/command.Run(...)
/home/runner/work/vault/vault/command/main.go:147
main.main()
/home/runner/work/vault/vault/main.go:13 +0x47
For people looking to work around this you can force the token to wrap itself by using renew
export VAULT_TOKEN=$(vault login -address="https://127.0.0.1/:${LOCALPORT}" -method=oidc -token-only -tls-skip-verify role="${ROLE}")
wrapped_token=$(vault token renew -wrap-ttl="5m" -address="https://127.0.0.1/:${LOCALPORT}" -tls-skip-verify -format=json | jq -r .wrap_info.token)
When making login calls for oidc adding ex:
-wrap-ttl=5m
to the command causes the following failureError
Appears to originate here: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/release/vault-1.16.x/cli.go#L234, my guess is that the wrapped token doesn't have an auth url because it's wrapping an earlier reponse.
cli version
Background (probably unrelated to this plugin)
My intent was to open vault ui with a wrapped token saving users from copying and pasting the token i.e.:
/ui/vault/auth?with=token&wrapped_token=${wrapped_token}
.I couldn't find any documentation on how to wrap an oidc token via say curl requests for oidc to allow manually fetching the token and opening the ui directly with The jwt version of this is:
but oidc equivilents don't seem to work.