Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] JWT method adds kubernetesTokenPath when using Kubernetes-hosted runner #244

Open
dianareider opened this issue Aug 20, 2021 · 1 comment
Open

[BUG] JWT method adds kubernetesTokenPath when using Kubernetes-hosted runner #244

dianareider opened this issue Aug 20, 2021 · 1 comment
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@dianareider
Copy link

Describe the bug
I'm using a JWT generated from Azure AD (via Service Principal) to authenticate to Vault. When using vault-action 2.3.0 on a self-hosted Ubuntu runner on Kubernetes (I believe AKS), I receive the following message: "Error: not supported argument." This appears to be caused by kubernetesTokenPath automatically being injected as a parameter, even though it's not in the code.

Log snippet:

Run hashicorp/vault-action@v2.3.0
  with:
    url: https://myvault.com
    method: jwt
    role: myrole
    jwtPrivateKey: ***
    secrets: secret/path/mysecret key
    exportToken: true
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    tlsSkipVerify: false
    jwtTtl: 3600
  env:
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
::group::Get Vault Secrets
Get Vault Secrets
  ::endgroup::
Error: not supported argument

To Reproduce

# File: .github/workflows/workflow.yml

on: [push]

name: AzureLoginSample

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: azure/login@v1
      with:
          creds: '{"clientId": "${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
    - run: |
        az account show

    - name: Azure CLI script file
      uses: azure/CLI@v1
      id: azure_auth
      with:
        azcliversion: 2.0.72
        inlineScript: |
          JWT=$(az account get-access-token --query 'accessToken' -o tsv)
          echo "::add-mask::$JWT"
          echo "::set-output name=JWT::$JWT"

    - name: Import Secrets
      uses: hashicorp/vault-action@v2.3.0
      with:
        url: https://myvault.com
        method: jwt
        role: myrole
        jwtPrivateKey: ${{ steps.azure_auth.outputs.JWT }}
        secrets: secret/mypath/mysecret mykey
        exportToken: true

Expected behavior
Kubernetes token should not be included when attempting to use JWT authentication method.

Log Output

##[debug]Starting: Set up job
Current runner version: '2.280.3'
Operating System
Virtual Environment
Virtual Environment Provisioner
GITHUB_TOKEN Permissions
##[debug]Primary repository: Cloud-3-0/vault-azure-auth
Prepare workflow directory
##[debug]Creating pipeline directory: '/home/runner/work/vault-azure-auth'
##[debug]Creating workspace directory: '/home/runner/work/vault-azure-auth/vault-azure-auth'
##[debug]Update context data
##[debug]Evaluating job-level environment variables
##[debug]Evaluating job container
##[debug]Evaluating job service containers
##[debug]Evaluating job defaults
Prepare all required actions
Getting action download info
Download action repository 'azure/login@v1' (SHA:77f1b2e3fb80c0e8645114159d17008b8a2e475a)
##[debug]Download 'https://api.github.com/repos/Azure/login/tarball/77f1b2e3fb80c0e8645114159d17008b8a2e475a' to '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz'
##[debug]Unwrap 'Azure-login-77f1b2e' to '/home/runner/work/_actions/azure/login/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/login/v1'.
Download action repository 'azure/CLI@v1' (SHA:4b58c946a0f48d82cc2b6e31c0d15a6604859554)
##[debug]Download 'https://api.github.com/repos/Azure/cli/tarball/4b58c946a0f48d82cc2b6e31c0d15a6604859554' to '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz'
##[debug]Unwrap 'Azure-cli-4b58c94' to '/home/runner/work/_actions/azure/CLI/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/CLI/v1'.
Download action repository 'hashicorp/vault-action@v2.3.0' (SHA:0451f06f9f705768363122da079f46746e31bfe4)
##[debug]Download 'https://api.github.com/repos/hashicorp/vault-action/tarball/0451f06f9f705768363122da079f46746e31bfe4' to '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz'
##[debug]Unwrap 'hashicorp-vault-action-0451f06' to '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'
##[debug]Archive '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz' has been unzipped into '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/login/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/CLI/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0/action.yml'.
##[debug]Set step '__azure_login' display name to: 'Run azure/login@v1'
##[debug]Set step '__run' display name to: 'Run az account show'
##[debug]Set step 'azure_auth' display name to: 'Azure CLI script file'
##[debug]Set step '__hashicorp_vault-action' display name to: 'Import Secrets'
##[debug]Collect running processes for tracking orphan processes.
##[debug]Finishing: Set up job
14s
##[debug]Evaluating condition for step: 'Run azure/login@v1'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run azure/login@v1
##[debug]Loading inputs
##[debug]Evaluating: format('{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}', secrets.ARM_CLIENT_ID, secrets.ARM_CLIENT_SECRET, secrets.ARM_SUBSCRIPTION_ID, secrets.ARM_TENANT_ID)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_SECRET'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_SUBSCRIPTION_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_TENANT_ID'
##[debug]..=> '***'
##[debug]=> '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Result: '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Loading env
Run azure/login@v1
##[debug]az cli version used:
##[debug]azure-cli                         2.27.1
##[debug]
##[debug]core                              2.27.1
##[debug]telemetry                          1.0.6
##[debug]
##[debug]Extensions:
##[debug]azure-devops                      0.20.0
##[debug]
##[debug]Python location '/opt/az/bin/python3'
##[debug]Extensions directory '/opt/az/azcliextensions'
##[debug]
##[debug]Python (Linux) 3.6.10 (default, Aug 11 2021, 02:41:08) 
##[debug][GCC 9.3.0]
##[debug]
##[debug]Legal docs and information: aka.ms/AzureCliLegal
##[debug]
##[debug]
##[debug]Your CLI is up-to-date.
##[debug]
::add-mask::***
##[debug]Cannot find key: $.resourceManagerEndpointUrl
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.
##[debug]Node Action run completed with exit code 0
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZUREPS_HOST_ENVIRONMENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Run azure/login@v1
0s
##[debug]Evaluating condition for step: 'Run az account show'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run az account show
##[debug]Loading inputs
##[debug]Loading env
Run az account show
##[debug]/usr/bin/bash -e /home/runner/work/_temp/fb09b562-9d1d-443f-b223-d5dfac58ec9a.sh
{
  "environmentName": "AzureCloud",
  "homeTenantId": "***",
  "id": "***",
  "isDefault": true,
  "managedByTenants": [],
  "name": "my-azure-subscription",
  "state": "Enabled",
  "tenantId": "***",
  "user": {
    "name": "***",
    "type": "servicePrincipal"
  }
}
##[debug]Finishing: Run az account show
26s
##[debug]Evaluating condition for step: 'Azure CLI script file'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Azure CLI script file
##[debug]Loading inputs
##[debug]Loading env
Run azure/CLI@v1
Starting script execution via docker image mcr.microsoft.com/azure-cli:2.0.72
::add-mask::***
::set-output name=JWT::***
##[debug]steps.azure_auth.outputs.JWT='***'

az script ran successfully.
cleaning up container...
MICROSOFT_AZURE_CLI_1629437136645_CONTAINER

##[debug]Node Action run completed with exit code 0
##[debug]Finishing: Azure CLI script file
0s
##[debug]Evaluating condition for step: 'Import Secrets'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Import Secrets
##[debug]Loading inputs
##[debug]Evaluating: steps.azure_auth.outputs.JWT
##[debug]Evaluating Index:
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating steps:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'azure_auth'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'outputs'
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'JWT'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run hashicorp/vault-action@v2.3.0
  with:
    url: https://myvault.com
    method: jwt
    role: myrole
    jwtPrivateKey: ***
    secrets: secret/mypath/mysecret mykey
    exportToken: true
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    tlsSkipVerify: false
    jwtTtl: 3600
  env:
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
::group::Get Vault Secrets
Get Vault Secrets
  ::endgroup::
Error: not supported argument
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Import Secrets
0s
##[debug]Starting: Complete job
Cleaning up orphan processes
##[debug]Finishing: Complete job

Additional context
If there are other suggested ways of achieving the same results, I am open. My end goal will actually be to pass the vault token to TFE, but I am testing secrets retrieval while I'm at it (and see another open enhancement request for being able to get token only w/o secrets retrieval).
@dianareider dianareider added the bug Something isn't working label Aug 20, 2021
@claas-fridtjof-lisowski
Copy link

We have the same issue with Azure Service Principal and JWT token authentication.
My workaround is to use plain vault cli to login and get the token/secrets.

@tvoran tvoran added the good first issue Good for newcomers label Oct 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvoran @dianareider @claas-fridtjof-lisowski