community.hashi_vault icon indicating copy to clipboard operation
community.hashi_vault copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

`vault_token_create` using `wrap_ttl` and `role_name` returns a token that is not wrapped

Open blmhemu opened this issue 2 years ago • 2 comments

SUMMARY

The template {{ lookup('community.hashi_vault.vault_token_create', url='https://100.72.58.16:8200/', wrap_ttl='1m', role_name='cluster-pki') }} does NOT create a wrapped token - just creates a normal token.

The equivalent cli command works fine with the same token (as above) vault token create -wrap-ttl=1m -role=cluster-pki and creates a wrapped token.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

community.hashi_vault.vault_token_create

ANSIBLE VERSION
ansible [core 2.14.3]
COLLECTION VERSION
4.1.0
OS / ENVIRONMENT

MacOS

STEPS TO REPRODUCE
{{ lookup('community.hashi_vault.vault_token_create', url='https://100.72.58.16:8200/', wrap_ttl='1m', role_name='cluster-pki' ) }}
EXPECTED RESULTS

It creates a wrapped token.

ACTUAL RESULTS

It creates a normal token (not wrapped).

blmhemu avatar Mar 26 '23 08:03 blmhemu

Hi @blmhemu thanks for reporting this! It looks like this is a bug in the hvac library instead, and I've opened an issue for it here:

  • https://github.com/hvac/hvac/issues/965

briantist avatar Mar 26 '23 16:03 briantist

@blmhemu I have a PR up in hvac that should fix this:

  • https://github.com/hvac/hvac/pull/966

In the meantime if you want to see if that fixes it with ansible as well, you can try installing hvac from my branch:

pip install https://github.com/briantist/hvac/archive/auth.token.create/wrapped-role-based.tar.gz

This should work with no changes to Ansible/this collection.

briantist avatar Mar 26 '23 19:03 briantist