-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault login
calls the token helper with get
and expects that to succeed
#23194
Comments
Thank you for reporting this issue! So, the concern with |
Yes, this is true. But the current behavior of I’m not well versed in Go but I’ll see if I can fix this. #22257 is bugging me as well, maybe I can tackle both. |
`vault login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `vault login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes hashicorp/vault#23194. Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>
Describe the bug
When I run
vault login
, and a token helper is configured, Vault will call the token helper withget
. Thisget
might fail, the token helper might not have a token. The reason for runningvault login
in the first place, is to obtain a token and store it using the token helper. But even if the token helper has no token yet, Vault forces it to exit with exit code 0. If it exits with a nonzero exit code, thenvault login
fails, and we never get to thestore
step.We can of course make the token helper exit with exit code 0, but then if you run e.g.
vault kv get
, and the token helper has no token, then the token helper no longer has the ability to make thekv get
fail. Instead thekv get
will fail with a misleading “permission denied” error. Permission is denied, because noX-Vault-Token
was included in the request. Vault did not include a token, because the token helper did not return one but signalled success either way.To Reproduce
Steps to reproduce the behavior:
~/.vault
by putting e.g.token_helper = "/tmp/token_helper.sh"
there.vault login
.get
.get
preventedvault login
from doing any login.Expected behavior
I would expect
vault login
to not call the token helper withget
. It should only call the token helper withstore
.Once
vault login
does not call the token helper withget
, it becomes possible to return 1 when a get lookup fails (because the token does not exist), and that enables the token helper to print a helpful error message in that case, instead of leaving the user with a misleading permission denied error.Environment:
vault status
): irrelevant, we don’t even get tot he point wherevault
talks to a servervault version
):Vault v1.14.3 (cgo)
Vault server configuration file(s): irrelevant
The text was updated successfully, but these errors were encountered: