vault

vault copied to clipboard

Describe the Bug When using the CLI to retrieve a value using kv get with the -field specified combined with -format json the value returned includes double quotes.

To reproduce

1. Run vault kv put cubbyhole/testfield field1=value Success! Data written to: cubbyhole/testfield

2. Run vault kv get -field=field1 cubbyhole/testfield value

3. Run vault kv get -format json -field=field1 cubbyhole/testfield "value"

Expected Behavior when -field is specified the value should be returned without surrounding quotes.

Environment: Server Vault v1.12.0 Client Vault v1.12.0 OS Windows AMD64

HCL Reproduceable using vault server -dev

You literally asked the Vault CLI to return JSON format, so it did...

If you don't want it to format the result as JSON, don't ask it to do that.

You literally asked the Vault CLI to return JSON format, so it did...

If you don't want it to format the result as JSON, don't ask it to do that.

For the issue in question we set the -format=table as a CLI option to prevent being overriden by the environment variable, that was a good workaround, however we raised this bug as we felt that field option though should be mutually exclusive to format in most use cases, never wrapping with quotes.

It was discovered via an ansible role that had the environment variable set to VAULT_FORMAT=json which was set when running a script that would retrieve values from a vault kv to set a service account password.

The same script would succeed when run by an admin locally on the server. After a few weeks of chasing the issue we learned that the json format setting was adding quotes that were not being added when run without the environment variable being set.

I personally agree that this is both "expected" behavior and an area where we can make the experience more user friendly. I suspect the Vault engineering teams will have many existential arguments, Waiting For Godot style, in Slack. (This is entirely tongue-in-cheek on my part, and also very serious; I do very much hope a conclusion will arrive, even if Godot doesn't.)

we felt that field option though should be mutually exclusive to format in most use cases, never wrapping with quotes.

I don't agree with this. It's convenient to be able to use field and format=json together, as it saves having to manually parse the output with jq when you only care about a single field. But it wouldn't be JSON if we emitted an unquoted string.

Thank you for filing this, as it's clear you did so with the goal of improving the product, since you'd already found a solution for your own purposes. I'm going to decline the suggestion though.