morningconsult / docker-credential-vault-login

Automatically gets docker credentials from Hashicorp Vault
Apache License 2.0
77 stars 11 forks source link

VAULT_ADDR env var may conflict with credential paths in config file #125

Open optiz0r opened 1 year ago

optiz0r commented 1 year ago

Overview of the Issue

For this credential helper to work, two important things are needed which must be in sync

It's expected that the config file would contain both of these, and that they would be consistent with each other, so all is well.

But if a docker/podman push/pull command is run in an environment with VAULT_ADDR set pointing at a different vault cluster than the credentials are valid for, the push/pull operation will fail because the credentials at the hardcoded path in the config file aren't valid for the URL provided by the environment variable. While some auto-auth login methods allow themselves to be completely configured via environment variables, not all of them do, e.g. approle, so the config file must be used).

Having to make sure the VAULT_ADDR env var is not set in a conflicting way is confusing, and counterintuitive.

I guess the env var is probably being picked up by the vault auto auth code, rather than the credential helper code itself, so it's not necessarily a bug in this project, but it's most definitely a usability issue with this credential helper.

I wonder if anything could be done in this credential helper, like dropping the VAULT_ADDR env var when the helper is first launched, so the auto-auth code doesn't see it?

I could of course wrap docker-credential-vault-login in a helper script which drops the VAULT_ADDR environment variable, but that only solves the problem for me.

Reproduction Steps

Steps to reproduce this issue, eg:

  1. Configure the DCVL config file with a valid vault URL and credentials
  2. Test a container push/pull to confirm the operation is successful
  3. set VAULT_ADDR env var pointing at a different vault cluster
  4. Retest the container push/pull and note it fails

A copy of your config.json file

vault {
    address = "https://active.vault.service.consul:8200"
}
auto_auth {
    method "approle" {
        mount_path = "auth/approle"
        config = {
            vault_addr = "https://active.vault.service.consul:8200"

            secrets = {
                // blah
            }
            role_id_file_path = "/home/myuser/.docker-credential-vault-login/role_id"
            secret_id_file_path = "/home/myuser/.docker-credential-vault-login/secret_id"
            remove_secret_id_file_after_reading = false
        }
    }
    sink "file" {
        config = {
            path = "/home/myuser/.docker-credential-vault-login/cache"
        }
    }
}

Operating system and Environment details

N/A

Log Fragments

N/A