vault-action: [BUG] V2.7.0 breaks JSON secrets
Describe the bug After the latest update (v2.7.0) our pipelines started failing due to unexpected tokens in JSON. Downgrading to v2.6.0 solved the issue.
To Reproduce
As an example, in the Vault, in the key-value engine, there’s Google Service Account JSON content. It’s been working fine, but now when it’s passed to google-github-actions/auth action, it fails with:
google-github-actions/auth failed with: retry function failed after 4 attempts: failed to parse service account key JSON credentials: unexpected token \ in JSON at position 1
Additional context Related to this: https://github.com/hashicorp/vault-action/pull/466
cc @fairclothjm
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 7
- Comments: 15 (8 by maintainers)
We will work on fixing this. The issues looks to be with secrets stored in Vault as multi-line JSON strings.
There are a few options to work around this at the moment:
Pin your vault-action to v2.6.0
Or, if you want to keep using v2.7.0 (or v2), store your JSON string as a single line in Vault (this is the way google-github-actions/auth recommends storing secrets)
thanks @mweber15! I am beginning to think that vault-action may need a JSON format option to better handle JSON secrets. Vault already has this, and in fact does not support your use-case without the
format=jsonflag.JSON data stored in Vault (as a map):
Without
format=json:With
format=json:So, maybe vault-action needs something similar? Because I think that the current behavior as of v.2.7.2 is correct since it most closely matches Vault’s behavior. I will discuss this with my team this week.