You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The parameter mount_point does not work with JWT auth. It seems like the parameter must be renamed/aliased to path before invoking hvac.jwt_login(). Ref. hvac.jwt_login() documentation. I think this can be fixed quite easily with the same approach as used for aliasing the Vault role parameter:
Oof that's unfortunate. This is another area where JWT seems to have non-standard behavior compared to other auth methods in hvac. I've opened an issue for this one too: hvac/hvac#655
I think you're right about the fix being easy.
For testing, I hope it wouldn't be too difficult, as it's just a matter of doing the same thing as now but mounting the auth method in a path that's not the default when we set it up.
I've been thinking about this recently as the IAM method was also lacking mount_path support (oversight on my end, not an HVAC issue ; see #7 ), and there was no test for that either.
So one way to do this is to duplicate the config of every auth method, one with default mount point and one with a custom, and then run each set of auth method tests against both. It would be thorough but it would basically double testing time.
A more naive test might be to mount every auth method on a non-default path and always use the mount_point parameter in tests. I am slightly worried we would miss some edge case where this plugin doesn't work correctly with the default mount, due to oversight on our part, unexpected behavior from hvac, or other.
I'll think a little on how to implement tests for this and the general issue of mount_point issues.
Thanks for reporting!
SUMMARY
The parameter
mount_point
does not work with JWT auth. It seems like the parameter must be renamed/aliased topath
before invokinghvac.jwt_login()
. Ref. hvac.jwt_login() documentation. I think this can be fixed quite easily with the same approach as used for aliasing the Vault role parameter:community.hashi_vault/plugins/lookup/hashi_vault.py
Line 472 in a4374fd
But adding tests for this seems like a considerable job....
ISSUE TYPE
COMPONENT NAME
lookup/hashi_vault.py
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
hashi_vault
should authenticate successfully to Vault using the custom mountpoint/path and debug the secret.ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: