Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault.logical.write fails when writing to a path that doesn't support reads #11

Closed
olly opened this issue Jul 11, 2015 · 3 comments
Closed

Vault.logical.write fails when writing to a path that doesn't support reads #11

olly opened this issue Jul 11, 2015 · 3 comments
Labels
bug

Comments

@olly
Copy link

olly commented Jul 11, 2015

I was trying to programatically setup the postgresql secret backend:

Vault.sys.mount('postgresql', 'postgresql')
Vault.logical.write('postgresql/config/connection', value: 'postgresql://localhost/vault_database_connection_test?sslmode=disable')

This raises a Vault::HTTPError:

/usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/client.rb:278:in `error': The Vault server at `http://127.0.0.1:8200' responded with a 500. (Vault::HTTPError)
Any additional information the server supplied is shown below:

  * unsupported operation

Please refer to the documentation for help.
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/client.rb:183:in `block in request'
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/2.2.0/net/http.rb:853:in `start'
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/client.rb:173:in `request'
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/client.rb:59:in `get'
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/api/logical.rb:27:in `read'
    from /usr/local/var/rbenv/versions/2.2.0/lib/ruby/gems/2.2.0/gems/vault-0.1.3/lib/vault/api/logical.rb:48:in `write'
    from test.rb:4:in `<main>'

This is caused in logical.rb as it attempts to read from the path after it writes.

I would expect the above to work, but it's possible to work around it with the following:

 client.put('/v1/postgresql/config/connection', JSON.fast_generate(value: 'postgresql://olly@localhost:5432/vault_database_connection_test?sslmode=disable'))
@sethvargo sethvargo added the bug label Jul 11, 2015
@sethvargo
Copy link
Contributor

Hi @olly

I believe this might have been fixed in #7. Could you please give it a shot? Thanks!

@olly
Copy link
Author

olly commented Jul 14, 2015

I just tested it against master, and #7 hasn't fixed it (it looks like that PR was released in 0.1.13, which IIRC was the version I was using).

The issue is that "postgresql/config/connection" doesn't have a corresponding "read" endpoint. As I see it, the only sensible thing to do is to return nil, in this case. The question then is, do we want to try and read a value and return nil if it fails. Or not attempt to read at all?

I'd favour the later I think. Unless I'm missing something, if you've just written the secret, you shouldn't need to read it again immediately.

@jstremick
Copy link

Ran into this while configuring AWS secret backends on 0.1.3. I agree with @olly that not attempting to read makes more sense.

sethvargo added a commit that referenced this issue Aug 15, 2015
@sethvargo
Do not try to read a secret from logical
0b28e6e 
Previously the client would automatically attempt to read a secret if no JSON
was returned. This causes problems for paths that are "write-only", like
config endpoints.

Much like the Vault client, the endpoint will just return "success" if the
write succeeds.

Fixes GH-11
@sethvargo sethvargo mentioned this issue Aug 15, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@olly @jstremick @sethvargo