ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

Since version 4.5.5 included, policies list is not applied to AppRole

Open ericcitaire opened this issue 4 years ago • 3 comments

After updating ansible-modules-hashivault, I struggled with a missing policy on an AppRole :

    - hashivault_approle_role:
        name: foo-app
        policies:
        - foo-policy

After playing this, foo-policy is not assigned to foo-app AppRole.

After some digging, I found out that hashivault_approle_role works fine in version 4.5.4 and stops working properly in version 4.5.5.

It seems that #280 might be involved. Didn't have the time to investigate further more.

ericcitaire avatar Jan 13 '21 14:01 ericcitaire

There was a change to underlying software either hvac or Hashicorp Vault itself where token_policies is now the argument. The policies argument was left in for backward compatibility, it should be deprecated now.

TerryHowe avatar Jan 13 '21 15:01 TerryHowe

There was a change to underlying software either hvac or Hashicorp Vault itself where token_policies is now the argument. The policies argument was left in for backward compatibility, it should be deprecated now.

Thank you for your answer.

Can you point me to a CHANGELOG referring to this change please?

I didn't change hvac version (0.10.0) or Hashicorp Vault version (1.3.4). Does it mean that ansible-modules-hashivault is incompatible with versions of hvac or Vault prior to this change ? ansible-modules-hashivault requires hvac >= 0.9.5, is this still true or does it require a more recent version?

IMHO, If this argument is left for backward compatibility, it should still work as expected and display a warning.

ericcitaire avatar Jan 13 '21 15:01 ericcitaire

I found it : https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#120-july-30th-2019

AppRole uses new, common token fields for values that overlap with other auth backends. period and policies will continue to work, with priority being given to the token_ prefixed versions of those parameters. They will also be returned when doing a read on the role if they were used to provide values initially.

The problem is that token_ prefixed fields have default values (for example, token_policies takes an empty list as a default value). And it takes precedence over old fields. Hence, if the new fields are not supplied, the old ones are basically ignored.

ericcitaire avatar Jan 13 '21 16:01 ericcitaire

Reopen if this is still an issue

TerryHowe avatar Mar 11 '23 13:03 TerryHowe