Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: auth_login_userpass ignores password_file parameter #2304

Open
Cezero opened this issue Jul 29, 2024 · 0 comments
Open

[Bug]: auth_login_userpass ignores password_file parameter #2304

Cezero opened this issue Jul 29, 2024 · 0 comments
Labels
bug

Comments

@Cezero
Copy link

Cezero commented Jul 29, 2024

Terraform Core Version

1.9.3

Terraform Vault Provider Version

4.3.0

Vault Server Version

1.17.2

Affected Resource(s)

auth_login_userpass ignores the password_file parameter, regardless of if it is set via the environment variable TERRAFORM_VAULT_PASSWORD_FILE or set as a parameter password_file = "" in the vault {} provider block.

Expected Behavior

The password should be read from the file.

Actual Behavior

The setting is ignored, the vault provider still attempts to login to vault, which rejects the attempt with a 500 "missing password" error.

To be clear, if I set either password or TERRAFORM_VAULT_PASSWORD, the provider works perfectly and I am able to fetch credentials. However, I would prefer to set my vault password in a secure file, not export it into my environment.

Relevant Error/Panic Output Snippet

data.vault_kv_secret_v2.terraform_api_key: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Error making API request.
│
│ URL: PUT https://xxxxxxxxx:8200/v1/auth/userpass/login/xxxxxx
│ Code: 500. Errors:
│
│ * missing password
│
│   with data.vault_kv_secret_v2.terraform_api_key,
│   on terraform.tf line 23, in data "vault_kv_secret_v2" "terraform_api_key":
│   23: data "vault_kv_secret_v2" "terraform_api_key" {
│

Terraform Configuration Files

I've tested several scenarios:
export TERRAFORM_VAULT_PASSWORD=foo export TERRAFORM_VAULT_PASSWORD_FILE=bar
This should result in the error: "auth_login_userpass.0.password_file": conflicts with auth_login_userpass.0.password however it does not. The provider simply uses the PASSWORD and attempts to login

However:
provider "vault" { address = "XXX" auth_login_userpass { username = "XXX" password = "foo" password_file = "bar" } }
Does result in the "conflicts" error, so the parameter is being used in that one scenario

Steps to Reproduce

provider "vault" { address = "XXX" auth_login_userpass { username = "XXX" password_file = "bar" } }
Simply results in a 500 "missing password" error from the Vault API. It doesn't matter if password_file is set to a valid file or not. I would expect a "no such file" or other error in that scenario, but it is clear that the provider never attempts to open the file at all.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@Cezero Cezero added the bug label Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cezero