Vault secret keys prefixed with "data", meta data keys included
cardboardpig opened this issue · comments
Describe the bug
When loading data from vault; keys are prefixed with data, and unexpected keys such as metadataversion exist.
To Reproduce
Follow example in https://github.com/knadh/koanf/blob/master/examples/read-vault/main.go using a vault kv2 secret path
Expected behavior
keys should not be prefixed with data, nor should meta data related keys be included.
Please provide the following information):
- OS: linux
- Koanf Version 2.0.1
- Vault provider version 0.1.1
Additional context
I believe that this is caused by
koanf/providers/vault/vault.go
Line 69 in c82882d
data := maps.Unflatten(secret.Data["data"], r.cfg.Delim)
.I could reproduce this with the same example from the repository. If I'm understanding this correctly, the current implementation (which is also how vault works by default) sends back the data
along with the secret's metadata
, and the values need to be accessed as k.String("data.value")
instead of k.String("value")
.
For this, I've implemented a flag WithMeta
to the provider config, enabling which will send back the metadata alongside the data. And with this, the keys have to be accessed in the way the current implementation works (i.e. as data.value
).
The flag WithMeta
, false
by default, will only send back the data
part of the map. This will allow the users to access the values as k.String("value")
instead of k.String("data.value")
.
As an example:
provider := vault.Provider(vault.Config{
Address: "http://vault.local",
Token: "hvs.VAULT_TOKEN",
Path: "secret/data/my-secret",
Timeout: 10 * time.Second,
WithMeta: true,
})
Would require accessing the values as k.String("data.value")
, and will have the secret's metadata available as k.String("metadata.version")
Whereas with WithMeta
set to false, the values would be accessible as k.String("value")
, and the returned data will not contain the metadata for the secret.
Let me know if this implementation makes sense, so I can send a pull request for it.
Hi, thanks for the quick response! I think that your suggested implementation makes sense.
I've added a fix in the PR linked above this comment. Could you try and let me know if it works fine for you?
Quick Update:
We replaced WithMeta
with ExcludeMeta
for backwards compatibility. So for your usecase, you'll need to set ExcludeMeta
to true
and that will let you access the keys as k.String("key")
.
ExcludeMeta
is now released in tag providers/vault/v0.2.0
.
You can do a go get -u github.com/knadh/providers/vault
to update.