Updating Token Roles Fields have surprising behaviour

[lawliet89]

When updating a token role, I notice a couple of behaviour that is surprising to me. I noticed this while trying to update the relevant resource in the Vault Terraform provider.

Consider an existing Token Role with the following JSON returned from Vault:

{
    "request_id": "d2640082-8cab-aaf3-0e65-78941e6f03b9",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "allowed_policies": [
            "dev",
            "test"
        ],
        "bound_cidrs": [
            "0.0.0.0/0"
        ],
        "disallowed_policies": [
            "default"
        ],
        "explicit_max_ttl": 115200,
        "name": "test-role-updated-7797248494769930569",
        "orphan": true,
        "path_suffix": "parth-suffix",
        "period": 86400,
        "renewable": false,
        "token_type": "default-batch"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

When I submit the following Request:

---[ REQUEST ]---------------------------------------
PUT /v1/auth/token/roles/test-role-updated-7797248494769930569 HTTP/1.1
Host: 127.0.0.1:8200
User-Agent: Go-http-client/1.1
Content-Length: 181
X-Vault-Token: s.TOKEN-REDACTED
Accept-Encoding: gzip

{
    "allowed_policies": [],
    "bound_cidrs": [],
    "disallowed_policies": [],
    "explicit_max_ttl": "0",
    "orphan": false,
    "path_suffix": "",
    "period": "0",
    "renewable": true,
    "token_type": "default-service"
}

Vault returns the following response when we read the token role:

{
    "request_id": "e01abe9b-a4d4-2075-a6fd-ac0c55bd5403",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "allowed_policies": [],
        "bound_cidrs": [
            "0.0.0.0/0"
        ],
        "disallowed_policies": [],
        "explicit_max_ttl": 0,
        "name": "test-role-updated-7797248494769930569",
        "orphan": false,
        "path_suffix": "parth-suffix",
        "period": 0,
        "renewable": true,
        "token_type": "default-service"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Of note:

• path_suffix and bound_cidrs are not "unset" to an empty string and empty list respectively.
• If I missed out any of the fields (say allowed_policies) during the update, the corresponding field is not reset to the default value in Vault (in this case []). I'm not sure if this is an expected behaviour or if this is a bug.

Expected behavior

• path_suffix and bound_cidrs to be set correctly when updating
• Missing fields during update should be reset to default values

Environment:

• Vault Server Version (retrieve with vault status): Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')

• Vault CLI Version (retrieve with vault version): N/A

• Server Operating System/Architecture: Linux AMD64

Additional Information

• Terraform provider test code: https://github.com/lawliet89/terraform-provider-vault/blob/token-role-set/vault/resource_token_auth_backend_role_test.go
• Test log with requests/response from Vault

[jefferai]

Documentation bug: we should document that this endpoint distinguishes between create and update.

[lawliet89]

So I am guessing when updating, only fields provided are updated, while the fields that aren't provided are kept as-is.

But, what about path_suffix and bound_cidrs?

[jefferai]

Seems like a bug.