search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.61k stars 4.14k forks source link

Vault CLI: `-mount` doesn't prepend the specified mount point to a secret name #16639

Closed vpedosyuk closed 1 year ago

vpedosyuk commented 1 year ago

Describe the bug According to the vault kv put usage docs, when a mount point is specified in -mount the next argument will be interpreted as a secret path. However, it doesn't work for me when the kv mount path is /teams/test/secret instead of default /secret.

My expectation was that the following commands would work out of the box but they didn't:

$ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

$ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
Error writing data to secret/data/my-secret: Error making API request.

URL: PUT https://<redacted>/v1/secret/data/my-secret
Code: 404. Errors:

* no handler for route "secret/data/my-secret". route entry not found.

After some time playing with mount points, ACLs, and whatnot I tried the following command:

$ vault kv put -mount=teams/test/secret teams/test/secret/my-secret passcode=my-long-passcode
================ Secret Path ================
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-08-09T09:38:29.697165567Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

And I realized that Vault CLI seems to be generating incorrect URL https://<redacted>/v1/secret/data/my-secret instead of https://<redacted>/v1/teams/test/secret/data/my-secret but works fine if the secret path is absolute.

Environment:

aphorise commented 1 year ago

It seems that -mount='first/second/last' only takes a single last portion of the path - vs using any single word like kv / kv2 which works fine.

Hey @vpedosyuk - any reason why you dont want to do away with -mount altogether and opt instead to provide the complete path like:

vault kv put teams/test/secret/my-secret passcode=my-long-passcode
jdgoins commented 1 year ago

I just experienced this bug myself which had me scratching my head for a while. People may be gravitating toward -mount because it's a recommended practice in the kv-v2 documentation.

vpedosyuk commented 1 year ago

@aphorise yes, the complete path works well thanks. But I agree with @jdgoins and I'd keep considering this a bug because -mount seems to be a more natural way to describe a custom mount point.

aphorise commented 1 year ago

I believe this issue is likely linked to:

ccapurso commented 1 year ago

@aphorise, thank you for linking the related issue and PR. The proposed logic does in fact fix this issue:

❯ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/

❯ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

❯ vault kv get -mount=teams/test/secret my-secret
========== Secret Path ==========
teams/test/secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-11-01T13:51:49.936712Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
passcode    my-long-passcode
ccapurso commented 1 year ago

This has been fixed and backported to the 1.11 and 1.12 release branches. The fix will be available in versions 1.11.6 and 1.12.2.