vault-action icon indicating copy to clipboard operation
vault-action copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Access vault using kubernetes method

Open shafiz1 opened this issue 3 years ago • 4 comments

Describe the bug I am trying to access vault secrets using kube auth on self hosted action runner I could see the input it requires is the vault role and kubernetes token path

When I use them It fails with Error: Response code 400 (Bad Request)

To Reproduce

- name: Get secrets from Vault
  uses: hashicorp/[email protected]
  with:
          url: https://vaultdev.***********.com
          method: kubernetes
          role: *************
          kubernetesTokenPath: **************
          secrets: |
                  ****************** USERNAME | TEST_USERNAME_;
                  ****************** PASSWORD | TEST_PASSWORD ;

Expected behavior Fetch secrets from vault

Log Output Get Vault Secrets ##[debug]Retrieving Vault Token from v1/auth/kubernetes/login endpoint ::endgroup:: Error: Response code 400 (Bad Request) ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: Get secrets from Vault

Additional context Does this action supported kube auth on self hosted runner - as I see this in readme

kubernetes: you must provide the role paramaters. You can optionally override the kubernetesTokenPath paramater for custom mounted serviceAccounts. Consider kubernetes auth(https://www.vaultproject.io/docs/auth/kubernetes) when using self-hosted runners on Kubernetes:

shafiz1 avatar Jul 15 '21 19:07 shafiz1

To help isolate where the problem is, have you tested the login with these parameters using curl or Postman to make sure its not a Kubernetes config issue? https://www.vaultproject.io/api-docs/auth/kubernetes#login There are some caveats (additional config parameters) depending on where Vault is running: https://www.vaultproject.io/api-docs/auth/kubernetes#caveats I will be working on a kubernetes/vault project soon so let me know what you find...

slemme1 avatar Jul 29 '21 02:07 slemme1

what I'm missing here is the parameter "path", since I have multiple kubernetes backend configured on Vault I'd like to be able to customize the path parameter.

exactly what is been explained on this blog - https://computingforgeeks.com/how-to-integrate-multiple-kubernetes-clusters-to-vault-server/

nullck avatar Nov 08 '22 16:11 nullck

@nullck Hello, you should be able to provide a path to the appropriate backend with the path field defined here: https://github.com/hashicorp/vault-action#reference

fairclothjm avatar Jun 08 '23 17:06 fairclothjm

@shafiz1 Hi, are you still seeing this issue? Were you able to verify the login with these parameters using curl or Postman to make sure its not a Kubernetes config issue? as mentioned here: https://github.com/hashicorp/vault-action/issues/237#issuecomment-888739923

fairclothjm avatar Jun 08 '23 17:06 fairclothjm