Display vault approle name and policies in case of a failure

[tewfik-ghariani]

Hii,

First of all thanks for all of your efforts and the great tool you have implemented

I have a specific use case that I would like to share:
We are using gomplate to fetch data from vault across many CI/CD pipelines and sometimes the vault approle in-use does not have permissions to access the specified vault path

At that point, we cannot quickly identify which method was used to authenticate, and what are the enabled policies.

Example

13:06:57 ERR  error="failed to render template /tmp/common.ymlm0nu1xfx: 
template: /tmp/common.ymlm0nu1xfx:47:15: 
executing "/tmp/common.ymlm0nu1xfx" at <datasource "vault" "test/secrets/data/services/value">: 
error calling datasource: 
Couldn't read datasource 'vault': Error making API request.

URL: GET https://vault.hostname:8200/v1/test/secrets/data/services/value
Code: 403. 

Errors:
* 1 error occurred:
   * permission denied

It would be really nice to additionally display some information about the authentication method as well as the policies

It might be possible to simply lookup the generated token and retrieve its meta information:
e.g

Authenticated with approle using role=role-name 
or
Authenticated with token using user=user-name

policies=['private', 'default', 'other-ro']

Token expires on: 2023-08-10 13:20
Token type: session/batch

My request is mainly about the approle but if it makes sense to apply it to all auth methods, it would be better

Additionally, this does not have to be only in case of a failure, if you prefer to provide a flag that allows the display of such information before reading any values, it could work as well ^^

[github-actions]

This issue is stale because it has been open for 60 days with no
activity. If it is no longer relevant or necessary, please close it.
Given no action, it will be closed in 14 days.

If it's still relevant, one of the following will remove the stale
marking:

• A maintainer can add this issue to a milestone to indicate that
  it's been accepted and will be worked on
• A maintainer can remove the stale label
• Anyone can post an update or other comment

[hairyhenderson]

Sorry for the delay on this. It may be possible to provide debug logs with this information - This'll need to go into https://github.com/hairyhenderson/go-fsimpl however, as the next major release of gomplate will use that module for the Vault datasource (and authentication).

[hairyhenderson]

Given that this is work that needs to be done in go-fsimpl, I'll transfer it there!

[hairyhenderson]

I looked into this briefly, and it's going to be quite a bit more complex than I thought. The authentication is all delegated to the various vault packages at https://github.com/hashicorp/vault/blob/main/api/auth

At the least, it would be possible to display which auth method was used. But that really only makes sense if it's always logged (at debug level, of course). It could get verbose quickly!

I'm going to move this back to the gomplate repo. The go-fsimpl module currently doesn't do any logging and I'd rather not start now.

[hairyhenderson]

Also removing this from the v4 project so as not to hold up the release.