Closed vpedosyuk closed 1 year ago
It seems that -mount='first/second/last'
only takes a single last
portion of the path - vs using any single word like kv
/ kv2
which works fine.
Hey @vpedosyuk - any reason why you dont want to do away with -mount
altogether and opt instead to provide the complete path like:
vault kv put teams/test/secret/my-secret passcode=my-long-passcode
I just experienced this bug myself which had me scratching my head for a while. People may be gravitating toward -mount
because it's a recommended practice in the kv-v2 documentation.
@aphorise yes, the complete path works well thanks. But I agree with @jdgoins and I'd keep considering this a bug because -mount
seems to be a more natural way to describe a custom mount point.
I believe this issue is likely linked to:
@aphorise, thank you for linking the related issue and PR. The proposed logic does in fact fix this issue:
❯ vault secrets enable -path=/teams/test/secret -version=2 kv
Success! Enabled the kv secrets engine at: /teams/test/secret/
❯ vault kv put -mount=teams/test/secret my-secret passcode=my-long-passcode
========== Secret Path ==========
teams/test/secret/data/my-secret
======= Metadata =======
Key Value
--- -----
created_time 2022-11-01T13:51:49.936712Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
❯ vault kv get -mount=teams/test/secret my-secret
========== Secret Path ==========
teams/test/secret/data/my-secret
======= Metadata =======
Key Value
--- -----
created_time 2022-11-01T13:51:49.936712Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
passcode my-long-passcode
This has been fixed and backported to the 1.11 and 1.12 release branches. The fix will be available in versions 1.11.6 and 1.12.2.
Describe the bug According to the
vault kv put
usage docs, when a mount point is specified in-mount
the next argument will be interpreted as a secret path. However, it doesn't work for me when the kv mount path is/teams/test/secret
instead of default/secret
.My expectation was that the following commands would work out of the box but they didn't:
After some time playing with mount points, ACLs, and whatnot I tried the following command:
And I realized that Vault CLI seems to be generating incorrect URL
https://<redacted>/v1/secret/data/my-secret
instead ofhttps://<redacted>/v1/teams/test/secret/data/my-secret
but works fine if the secret path is absolute.Environment:
vault status
):vault version
):