token must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'>

[briantist]

SUMMARY

Seeing some failures in daily CI today in devel:

fatal: [testhost]: FAILED! => {
"msg": "The conditional check 'result == {}' failed. The error was: An unhandled exception occurred while templating '{{ lookup('community.hashi_vault.vault_write', 'cubbyhole/secret1', **kwargs) }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_write'. Error was a <class 'requests.exceptions.InvalidHeader'>, original message: Header part ('hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E') from {'X-Vault-Token': 'hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E'} must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'>. Header part ('hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E') from {'X-Vault-Token': 'hvs.CAESIDuQk-b_84grFKHxz_B9F4sosfrNY1ci5ZmsurpX1EDzGh4KHGh2cy5pbVlsQTZBNUc4dFlzZnEzVVhRUmxUd2E'} must be of type str or bytes, not <class 'ansible.utils.unsafe_proxy.AnsibleUnsafeText'>"
}

It looks like something has changed causing the result to be considered "unsafe" from various lookups.

ISSUE TYPE

• Bug Report

COMPONENT NAME

auth_token
lookup_hashi_vault
lookup_vault_kv1_get
lookup_vault_kv2_get
lookup_vault_login
lookup_vault_read
lookup_vault_token_create
lookup_vault_write

ANSIBLE VERSION

devel

COLLECTION VERSION

current

[briantist]

It appears that this is due to a change in requests unfortunately:

• Breaking change in 2.28.0 when using string enums as Headers (working in v2.27.1) psf/requests#6159

This probably means the token returned as always being marked as unsafe anyway, or perhaps that happened after the token changes in 1.10, but either way, requests was turning them back into regular strings.

It seems they are reluctant to change this behavior back despite it being breaking; even if gets reverted it will probably happen again in another release.

Will have to see what we can do on our side.

[briantist]

The workaround I've been working on is to internally ensure that tokens are always strings when we pass them to the client. Hope to have a PR up for this soon.

[fansari]

I came across the same issue. The latest version I can install with pip which does not run into this bug is this:

pip install ansible==6.7.0

[briantist]

@fansari this should have been fixed in #291 in collection version 3.2.0. When you run ansible-galaxy collection list what version of this collection do you see?