Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Get Vault Secrets responds with 404 #389

Closed
tkowalewski opened this issue Oct 26, 2022 · 1 comment
Closed

[BUG] Get Vault Secrets responds with 404 #389

tkowalewski opened this issue Oct 26, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@tkowalewski
Copy link

Describe the bug
Get Vault Secrets responds with 404

Zrzut ekranu 2022-10-26 o 13 29 48

To Reproduce

name: Rails - Install dependencies, run rspec and linters

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
jobs:
  main:
    runs-on: ubuntu-latest
    services:
      db:
        image: postgres:15
        ports: ['5432:5432']
        env:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: ""
          POSTGRES_DB: postgres
          POSTGRES_HOST_AUTH_METHOD: trust
      redis:
        image: redis:7
        ports:
          - 6379:6379
        options: --entrypoint redis-server
      vault:
        image: vault:1.12.0
        ports: ['8200:8200']
        env:
          VAULT_ADDR: "http://0.0.0.0:8200"
          VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
    steps:
      - name: Import Secrets
        uses: hashicorp/vault-action@v2.4.0
        with:
          url: http://localhost:8200
          token: "vault-plaintext-root-token"
          secrets: |
            secret/data/0.1.0 RAILS_SERVE_STATIC_FILES | true;
            secret/data/0.1.0 FAKE_INFLUENCE_VARIABLE | test;
            secret/data/0.1.0 RAILS_ENV | test;
            secret/data/0.1.0 DATABASE_URL | postgresql://postgres:@localhost/fake_influence_test;
            secret/data/0.1.0 REDIS_URL | localhost:6379;
            secret/data/0.1.0 SECRET_KEY_BASE | secretkeybase;
            secret/data/0.1.0 RAILS_MASTER_KEY | 4e9599e019a1f68436a1df391569daa9
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Ruby and install gems
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.1.2'
          bundler-cache: true
      - name: Run rspec
        env:
          PGHOST: localhost
          PGUSER: postgres
          RAILS_ENV: test
          VAULT_ADDR: "http://localhost:8200"
          VAULT_TOKEN: "vault-plaintext-root-token"
        run: |
          bin/rails db:create db:schema:load
          bin/rake assets:precompile
          bin/rspec
      - name: Run security checks
        run: |
          bin/bundler-audit --update
          bin/brakeman -q -w2
      - name: Run linters
        run: |
          bin/rubocop --parallel

Expected behavior
Vault should only store secrets?

Log Output

Run hashicorp/vault-action@v2.4.0
  with:
    url: http://localhost:8200
    token: vault-plaintext-root-token
    secrets: secret/data/0.1.0 RAILS_SERVE_STATIC_FILES | true;
  secret/data/0.1.0 FAKE_INFLUENCE_VARIABLE | test;
  secret/data/0.1.0 RAILS_ENV | test;
  secret/data/0.1.0 DATABASE_URL | ***localhost/fake_influence_test;
  secret/data/0.1.0 REDIS_URL | localhost:6379;
  secret/data/0.1.0 SECRET_KEY_BASE | secretkeybase;
  secret/data/0.1.0 RAILS_MASTER_KEY | 4e9599e019a1f68436a1df39[15](https://github.com/paladinsoftware/fake_influence/actions/runs/3328185136/jobs/5504751275#step:3:15)69daa9
  
    method: token
    kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
    exportEnv: true
    exportToken: false
    tlsSkipVerify: false
    jwtTtl: 3600
::group::Get Vault Secrets
Get Vault Secrets
  ::endgroup::
Error: Response code 404 (Not Found)
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Import Secrets
@tkowalewski tkowalewski added the bug Something isn't working label Oct 26, 2022
@maxcoulombe
Copy link
Contributor

maxcoulombe commented Sep 12, 2023
edited
Loading

Hey @tkowalewski ! Did you have any luck fixing the issue so the github action retrieves your secrets as expected?

It's a bit hard to troubleshoot without more information but some pointers:

  • the Vault url is configured as http://localhost:8200, how did you make your setup so actions run in GitHub would have access to a Vault instance running on your own machine?
  • I see the secrets you are trying to fetch is located at secret/data/0.1.0, can you verify if querying this secret directly on your Vault instance works and paste here the response you get (without the actual sensitive values :P)?
    vault read secret/data/0.1.0
  • The value after the | is used to define an environment variable where to save the retrieved secret if you do not want to use the default naming strategy of using the secret keys, but it looks like you are trying to use it to define default values? Could you try without overriding the resulting secret names to see if it helps:
    secret/data/0.1.0 FAKE_INFLUENCE_VARIABLE etc.

All in all it seems like a configuration error more than a bug so I'll close the issue for now if that's ok. But if you still need help getting the vault-action to work and can try the suggestions above please re-open this issue and ping me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tkowalewski @maxcoulombe