Giters

knadh / koanf

Simple, extremely lightweight, extensible, configuration management library for Go. Support for JSON, TOML, YAML, env, command line, file, S3 etc. Alternative to viper.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vault secret keys prefixed with "data", meta data keys included

cardboardpig opened this issue · comments

commented

Describe the bug
When loading data from vault; keys are prefixed with data, and unexpected keys such as metadataversion exist.

To Reproduce
Follow example in https://github.com/knadh/koanf/blob/master/examples/read-vault/main.go using a vault kv2 secret path

Expected behavior
keys should not be prefixed with data, nor should meta data related keys be included.

Please provide the following information):

  • OS: linux
  • Koanf Version 2.0.1
  • Vault provider version 0.1.1

Additional context
I believe that this is caused by

koanf/providers/vault/vault.go

Line 69 in c82882d

data := maps.Unflatten(secret.Data, r.cfg.Delim)
which should probably be data := maps.Unflatten(secret.Data["data"], r.cfg.Delim).

commented

I could reproduce this with the same example from the repository. If I'm understanding this correctly, the current implementation (which is also how vault works by default) sends back the data along with the secret's metadata, and the values need to be accessed as k.String("data.value") instead of k.String("value").

For this, I've implemented a flag WithMeta to the provider config, enabling which will send back the metadata alongside the data. And with this, the keys have to be accessed in the way the current implementation works (i.e. as data.value).

The flag WithMeta, false by default, will only send back the data part of the map. This will allow the users to access the values as k.String("value") instead of k.String("data.value").

As an example:

provider := vault.Provider(vault.Config{
	Address:  "http://vault.local",
	Token:    "hvs.VAULT_TOKEN",
	Path:     "secret/data/my-secret",
	Timeout:  10 * time.Second,
	WithMeta: true,
})

Would require accessing the values as k.String("data.value"), and will have the secret's metadata available as k.String("metadata.version")

Whereas with WithMeta set to false, the values would be accessible as k.String("value"), and the returned data will not contain the metadata for the secret.

Let me know if this implementation makes sense, so I can send a pull request for it.

commented

Hi, thanks for the quick response! I think that your suggested implementation makes sense.

commented

I've added a fix in the PR linked above this comment. Could you try and let me know if it works fine for you?

Quick Update:

We replaced WithMeta with ExcludeMeta for backwards compatibility. So for your usecase, you'll need to set ExcludeMeta to true and that will let you access the keys as k.String("key").

commented

ExcludeMeta is now released in tag providers/vault/v0.2.0.

You can do a go get -u github.com/knadh/providers/vault to update.