Parameter 'mount_point' does not work with JWT auth

[erikgb]

SUMMARY

The parameter mount_point does not work with JWT auth. It seems like the parameter must be renamed/aliased to path before invoking hvac.jwt_login(). Ref. hvac.jwt_login() documentation. I think this can be fixed quite easily with the same approach as used for aliasing the Vault role parameter:

community.hashi_vault/plugins/lookup/hashi_vault.py

Line 472 in a4374fd

params['role'] = params.pop('role_id')

But adding tests for this seems like a considerable job....

ISSUE TYPE

• Bug Report

COMPONENT NAME

lookup/hashi_vault.py

ANSIBLE VERSION

ansible 2.10.4
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.9.1 (default, Dec 12 2020, 13:15:12) [GCC 8.3.0]

CONFIGURATION

ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
DEFAULT_LOAD_CALLBACK_PLUGINS(env: ANSIBLE_LOAD_CALLBACK_PLUGINS) = True
DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = yaml
INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = /usr/local/bin/python

OS / ENVIRONMENT

cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

STEPS TO REPRODUCE

- name: Authenticate with a JWT using custom mountpoint/path
  ansible.builtin.debug:
      msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value', auth_method='jwt', role_id='myroleid', jwt='myjwt', url='https://myvault:8200', mount_point='mypath')}}"

EXPECTED RESULTS

hashi_vault should authenticate successfully to Vault using the custom mountpoint/path and debug the secret.

ACTUAL RESULTS

Error was a <class ''TypeError''>, original message: jwt_login() got an unexpected keyword argument ''mount_point'''

[briantist]

Hi @erikgb welcome to the new collection!

Oof that's unfortunate. This is another area where JWT seems to have non-standard behavior compared to other auth methods in hvac. I've opened an issue for this one too: hvac/hvac#655

I think you're right about the fix being easy.

For testing, I hope it wouldn't be too difficult, as it's just a matter of doing the same thing as now but mounting the auth method in a path that's not the default when we set it up.

I've been thinking about this recently as the IAM method was also lacking mount_path support (oversight on my end, not an HVAC issue ; see #7 ), and there was no test for that either.

So one way to do this is to duplicate the config of every auth method, one with default mount point and one with a custom, and then run each set of auth method tests against both. It would be thorough but it would basically double testing time.

A more naive test might be to mount every auth method on a non-default path and always use the mount_point parameter in tests. I am slightly worried we would miss some edge case where this plugin doesn't work correctly with the default mount, due to oversight on our part, unexpected behavior from hvac, or other.

I'll think a little on how to implement tests for this and the general issue of mount_point issues.
Thanks for reporting!