terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
[Bug]: Error 404: Unsupported Path for IdentityOidcRole API Request when using email as name
Terraform Core Version
1.5.7
Terraform Vault Provider Version
4.2.0
Vault Server Version
1.16.1
Affected Resource(s)
- vault_identity_oidc_role
Expected Behavior
A identity_oidc_role would be created
Actual Behavior
Terraform fails to create a role with an e-mail as a name.
Relevant Error/Panic Output Snippet
│ Error: error writing IdentityOidcRole identity/oidc/role/[email protected]: Error making API request.
│
│ URL: PUT http://localhost:8200/v1/identity/oidc/role/[email protected]
│ Code: 404. Errors:
│
│ * 1 error occurred:
│ * unsupported path
### Terraform Configuration Files
```hcl
resource "vault_identity_oidc_key" "this" {
name = "xxx-oidc-key"
algorithm = "RS256"
}
resource "vault_identity_oidc_role" "this" {
name = "[email protected]"
key = vault_identity_oidc_key.this.name
}
Steps to Reproduce
- terraform apply
Debug Output
No response
Panic Output
No response
Important Factoids
My groups get fetched by GCP + Google Workspace, which has the email as an identifier.
It seems like the role name is directly mapped 1:1, which causes this: https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_identity_oidc_role.go#L81
However it works with the CLI:
vault write identity/group name="[email protected]" type="external" \
policies="role-admin" \
metadata=responsibility="Admin Group"
This would be represented as:
$ vault write -output-curl-string identity/group name="[email protected]" type="external" \
policies="role-admin" \
metadata=responsibility="Admin Group"
# Respective CURL
$ curl -X PUT -H "X-Vault-Request: true" \
-H "X-Vault-Token: $(vault print token)" \
-d '{"metadata":"responsibility=Admin Group","name":"[email protected]","policies":"role-
admin","type":"external"}' \
http://localhost:8200/v1/identity/group
References
No response
Would you like to implement a fix?
No
