Cant use vaku without read capability on sys/mounts

[tobgu]

I've run up against an issue where "normal" users cannot use most of the functionality in vaku since it relies on a call to https://github.com/lingrino/vaku/blob/main/api/mounts.go#L46 which requires read capability on sys/mounts.

We don't want to assign this capability to non-admin users as it would expose information/existence about mounts that the user does not have access to.

The only way I know of to get this information without using sys/mounts is through an internal endpoint used by the GUI which provides you with similar information, but scoped to the mounts that you have access. https://www.vaultproject.io/api-docs/system/internal-ui-mounts

That the endpoint is internal is a problem of course wrt stability and existence. I've written an issue on Vault for this but I don't have high hopes of a quick solution to it: https://github.com/hashicorp/vault/issues/15724

The only way around this that I can think of is to make it possible to make the "mount source" pluggable to avoid requiring access to sys/mounts. In that way we could, for example, use the above internal endpoint at our own risk to get the information. Or some other static configuration available in our use case. Perhaps you have better ideas for how to tackle this?

[lingrino]

@tobgu thanks for the issue! This is definitely something we can work out.

I'm reluctant to use the internal endpoint but I'm following the issue you opened and hopefully we can find a more stable approach later on. For now would it work for you to have a flag and/or environment variable (maybe VAKU_MOUNT_VERSION) that you can manually set to bypass this check?

[tobgu]

An environment variable for the CLI + the possibility to pass it as config to NewClient would be perfectly fine for my use case. We only use kv-v2, never v1.

Thanks!

[tobgu]

#198 does the trick AFAIC!