vscode-vault icon indicating copy to clipboard operation
vscode-vault copied to clipboard

Published 20 hours ago verified publisher icon owenfarrell

Namespace Support

Open d0dg3r opened this issue 3 years ago • 5 comments

Hello, a shot question. How do i open a secret in a namespace. Let's say namespace is org1 and secrets is test. e.g http://.../vault/secrets/kv/show/test?namespace=org1 Didn't find anything about that in your documentation, maybe you can give me a hint in the right direction. Thanks and greetings Joe

d0dg3r avatar Mar 30 '21 10:03 d0dg3r

👋 Hi @d0dg3r,

It's tough to tell exactly what the path to the secret is in your example above (i.e. I would assume that /vault gets stripped off). So I'm not sure that I can provide an accurate response on how to reformat the above URL.

But the Vault docs provide a pretty good example of how a namespace can be provided in different ways to create logically equivalent requests. In theory, you should be able to prefix the path based on the namespace.

Have you given that a try yet?

What I'm not clear on is how namespaces impact the typical functions that are available through the API. I'll do some digging and see if I can recreate this scenario.

~Owen

owenfarrell avatar Apr 02 '21 18:04 owenfarrell

I tried this path prefix and I get a 404.

adammike avatar Apr 24 '22 04:04 adammike

Typically a namespace is passed as an HTTP header to the API like so:

curl \
    -H "X-Vault-Token: hvs.sometokenvalue" \
    -H "X-Vault-Namespace: admin" \
    -X GET \
    http://127.0.0.1:8200/v1/secret/foo

Vault namespace considerations are described in the Vault API docs. HCP Vault uses namespaces for tenant isolation, so the VSCode plugin won't work with HCP Vault until it has namespace support.

jbayer avatar Nov 14 '22 21:11 jbayer

Hey all - for whatever reason, I was hyper-focused on implementing namespace support through massaging URL paths (as an alternative to the request header). But I'm honestly not sure why I was focused on that approach. Whatever the reason was, it probably wasn't good.

Given that there's been some recent traction on node-vault, I took a fresh crack at this and just merged in the changes as part of #97.

If anyone is interested in taking this for a test drive, I've published the latest build to the VSCode pre-release channel. I've noticed a couple of smaller issues that I want to resolve as I've been testing against HCP, but I'd love this group's feedback on the latest build.

owenfarrell avatar Nov 16 '22 15:11 owenfarrell

I tried out the pre-release with Namespaces with HCP Vault and it seemed to work well with the "admin" namespace. Thanks for making the pre-release available.

I did have one issue getting the name/value pair updates working for KVv2 secret. Using JSON worked fine, but the Key Value pair gave me an error: "Must be JSON or key/value pairs".

I tried entering the following into the input box, and this didn't work without an error: foo=bar

jbayer avatar Nov 17 '22 18:11 jbayer