vault-action icon indicating copy to clipboard operation
vault-action copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[BUG] v2.1.2 breaks secrets in JSON format

Open dlavrenuek opened this issue 3 years ago • 4 comments

Describe the bug vault-action v2.1.2 breaks the secrets that are stored as json, for example json web token keys, because the values are now parsed as json instead of a string REF.

To Reproduce Example secret that is stored as json:

{ "kty": "RSA", "n": ...

Was in v2.1.1 passed to the application in the correct JSON format as

{ "kty": "RSA", "n": ...

In v2.1.2 it is passed to the application as JavaScript object representation, which is not valid JSON:

{ kty: RSA, n: ...

This results in a fatal error in the application due to invalid formatting.

Expected behavior The secrets in JSON format should not be modified and passed to the application in valid JSON format.

dlavrenuek avatar Mar 11 '21 09:03 dlavrenuek

His @dlavrenuek, this is unfortunate due to the change made on parsing secrets from Vault. We're taking a look at this.

jasonodonnell avatar Apr 22 '21 20:04 jasonodonnell

Hi @jasonodonnell, do you know what the use case for this PR was https://github.com/hashicorp/vault-action/pull/173 and how this was tested? From what I can see in the code is that even tho the secret is parsed with JSON.parse it is returned as a string in the end anyway, and I can't find any interaction with the parsed secret in between.

dlavrenuek avatar Jun 28 '21 08:06 dlavrenuek

@jasonodonnell this issue is open for quite some time now, is it planned to fix it?

dlavrenuek avatar Sep 30 '21 12:09 dlavrenuek

Any updates on this, I am unable to use this functionality, and would very much like to.

MattPumphrey avatar Oct 11 '22 18:10 MattPumphrey

Hi @dlavrenuek or @MattPumphrey I have been unable to capture this in the e2e tests. See my PR here: https://github.com/hashicorp/vault-action/pull/466

If you can help me recreate this issue then I can try to get it fixed. Manual repro steps would be fine too if you can't provide pointers on my tests. Thanks!

fairclothjm avatar Jun 09 '23 18:06 fairclothjm

@fairclothjm I think the case (as mentioned above) is if you use 'unquoted' json secret stored in vault such as: { "kty": "RSA", "n": "xxx" }

In your tests you are wrapping the json in single quotes, which is not the exact case here expect(process.env.SECRET_JSON).toBe('{"x":1,"y":2}')

Try to store the unquoted json in Vault/env and run the test { "kty": "RSA", "n": "xxx" }

btw, yes I can also confirm that when storing the unquoted json, you will get env variable with double quotes being removed from the secret.

markoojleski-factoryww avatar Jun 09 '23 20:06 markoojleski-factoryww

Released Vault GitHub Action v2.7.0 which should fix this regression!

fairclothjm avatar Jun 21 '23 19:06 fairclothjm

Reopening as we had to revert #466 in https://github.com/hashicorp/vault-action/pull/471

fairclothjm avatar Jul 03 '23 15:07 fairclothjm

Released Vault GitHub Action v2.7.2 which should (finally) fix this regression!

fairclothjm avatar Jul 06 '23 19:07 fairclothjm

As noted above, this has to do with how the secret is stored in Vault. The solution for this as of Vault Action v2.7.3 is to access the secret via the environment variable that is set by Vault Action.

For example, with the following setup

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              id: import-secrets
              uses: hashicorp/vault-action@v2
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VAULT_TOKEN }}
                secrets: |
                    secret/data/json-data jwt_data | MY_JWT ;
            # ...

We can access the environment variables like

#...
            - name: Step following 'Import Secrets'
              run: |
                echo "$JWT_DATA"
                echo "$MY_JWT"
            # ...

The JSON will be properly formatted.

fairclothjm avatar Jul 19 '23 20:07 fairclothjm