lookup/hashi_vault.py: IAM auth does not support the mount_point parameter

[lamawithonel]

SUMMARY

AWS IAM authentication does not take the mount_point parameter, but other auth methods do.

ISSUE TYPE

• Bug Report

A previous report of a similar issue (#767) was classified as a Bug.

COMPONENT NAME

lookup/hashi_vault.py

ANSIBLE VERSION

ansible 2.10.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.2 (default, Jul 18 2020, 19:35:03) [GCC 9.2.0]

CONFIGURATION

No changes

OS / ENVIRONMENT

cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.6
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

STEPS TO REPRODUCE

1. Enable the AWS auth method in HashiCorp Vault with a custom mountpoint, e.g., obfuscated-iam.
2. Use the hash_vault lookup plugin with the options auth_method=aws_iam_login mount_point=obfuscated-iam

EXPECTED RESULTS

hashi_vault should authenticate successfully to Vault using the custom mountpoint.

The issue resides, or at least is fixable, in the validate_auth_aws_iam_login function, here. A naive fix is to add mount_point to the params list as below:

    def validate_auth_aws_iam_login(self, auth_method):
        params = {
            'access_key': self.get_option('aws_access_key'),
            'secret_key': self.get_option('aws_secret_key'),
            'mount_point': self.get_option('mount_point')   # <--------- a naive fix
        }
        ...

ACTUAL RESULTS

hashi_vault attempts to authenticate using the default aws mountpoint instead of the requested obfuscated-iam, i.e., /v1/auth/aws/login instead of /v1/auth/obfuscated-iam/login.

fatal: [example.com]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'hvac.exceptions.InvalidRequest'>, original message: missing client token, on post https://example.net/v1/auth/aws/login"}

[briantist]

Thanks for this report @lamawithonel !
The fix you pointed out should work, I would only want to change it to reflect the fact that the internal "option" being set no longer contains only AWS credentials, so it should reflect that it now contains the full set of options for this auth method, if that makes sense.

Are you interested in putting in a PR for this?
For reference PR ansible-collections/community.general#897 fixed the issue for the other one.

If not, it's something I will likely address myself but not sure of timeframe just yet.

[ichasco]

Hi @briantist .
when is this change going to be applied

Thanks! :)

[lamawithonel]

@briantist I can get something together later this month. Does it need tests?

[briantist]

@ichasco this is a bug report but not a PR so there's no change to be applied just yet. Someone has to work to implement the change

@lamawithonel thanks that'd be great. Unfortunately we don't have tests for this auth method since it's difficult to set up what is needed on the AWS side (for me anyway) in the test environment. It might make sense to add some basic tests that ensure the parameters are being used/accepted correctly? Not sure if that'll be possible though.

[dmsimard]

Hi @lamawithonel, just FYI we've moved this isssue to https://github.com/ansible-collections/community.hashi_vault