You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I'm using a JWT generated from Azure AD (via Service Principal) to authenticate to Vault. When using vault-action 2.3.0 on a self-hosted Ubuntu runner on Kubernetes (I believe AKS), I receive the following message: "Error: not supported argument." This appears to be caused by kubernetesTokenPath automatically being injected as a parameter, even though it's not in the code.
Expected behavior
Kubernetes token should not be included when attempting to use JWT authentication method.
Log Output
##[debug]Starting: Set up job
Current runner version: '2.280.3'
Operating System
Virtual Environment
Virtual Environment Provisioner
GITHUB_TOKEN Permissions
##[debug]Primary repository: Cloud-3-0/vault-azure-auth
Prepare workflow directory
##[debug]Creating pipeline directory: '/home/runner/work/vault-azure-auth'
##[debug]Creating workspace directory: '/home/runner/work/vault-azure-auth/vault-azure-auth'
##[debug]Update context data
##[debug]Evaluating job-level environment variables
##[debug]Evaluating job container
##[debug]Evaluating job service containers
##[debug]Evaluating job defaults
Prepare all required actions
Getting action download info
Download action repository 'azure/login@v1' (SHA:77f1b2e3fb80c0e8645114159d17008b8a2e475a)
##[debug]Download 'https://api.github.com/repos/Azure/login/tarball/77f1b2e3fb80c0e8645114159d17008b8a2e475a' to '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz'
##[debug]Unwrap 'Azure-login-77f1b2e' to '/home/runner/work/_actions/azure/login/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_5c21a1e8-26b6-49b3-b7d2-57ac257f52ab/81f04949-9deb-4db9-8f61-85f5d9325dc1.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/login/v1'.
Download action repository 'azure/CLI@v1' (SHA:4b58c946a0f48d82cc2b6e31c0d15a6604859554)
##[debug]Download 'https://api.github.com/repos/Azure/cli/tarball/4b58c946a0f48d82cc2b6e31c0d15a6604859554' to '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz'
##[debug]Unwrap 'Azure-cli-4b58c94' to '/home/runner/work/_actions/azure/CLI/v1'
##[debug]Archive '/home/runner/work/_actions/_temp_c97edde7-4df4-436b-aaf7-8c203335fbb1/6e4ef207-2f69-4e10-9797-3b81a700d055.tar.gz' has been unzipped into '/home/runner/work/_actions/azure/CLI/v1'.
Download action repository 'hashicorp/[email protected]' (SHA:0451f06f9f705768363122da079f46746e31bfe4)
##[debug]Download 'https://api.github.com/repos/hashicorp/vault-action/tarball/0451f06f9f705768363122da079f46746e31bfe4' to '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz'
##[debug]Unwrap 'hashicorp-vault-action-0451f06' to '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'
##[debug]Archive '/home/runner/work/_actions/_temp_12ba28c9-739d-44d8-832b-1b5293184e42/814bbbd3-7ac4-4c2d-bf40-43c3652d5ee9.tar.gz' has been unzipped into '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/login/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/azure/CLI/v1/action.yml'.
##[debug]action.yml for action: '/home/runner/work/_actions/hashicorp/vault-action/v2.3.0/action.yml'.
##[debug]Set step '__azure_login' display name to: 'Run azure/login@v1'
##[debug]Set step '__run' display name to: 'Run az account show'
##[debug]Set step 'azure_auth' display name to: 'Azure CLI script file'
##[debug]Set step '__hashicorp_vault-action' display name to: 'Import Secrets'
##[debug]Collect running processes for tracking orphan processes.
##[debug]Finishing: Set up job
14s
##[debug]Evaluating condition for step: 'Run azure/login@v1'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run azure/login@v1
##[debug]Loading inputs
##[debug]Evaluating: format('{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}', secrets.ARM_CLIENT_ID, secrets.ARM_CLIENT_SECRET, secrets.ARM_SUBSCRIPTION_ID, secrets.ARM_TENANT_ID)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '{{"clientId": "{0}","clientSecret":"{1}","subscriptionId":"{2}","tenantId":"{3}"}}'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_CLIENT_SECRET'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_SUBSCRIPTION_ID'
##[debug]..=> '***'
##[debug]..Evaluating Index:
##[debug]....Evaluating secrets:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'ARM_TENANT_ID'
##[debug]..=> '***'
##[debug]=> '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Result: '{"clientId": "***","clientSecret":"***","subscriptionId":"***","tenantId":"***"}'
##[debug]Loading env
Run azure/login@v1
##[debug]az cli version used:
##[debug]azure-cli 2.27.1
##[debug]
##[debug]core 2.27.1
##[debug]telemetry 1.0.6
##[debug]
##[debug]Extensions:
##[debug]azure-devops 0.20.0
##[debug]
##[debug]Python location '/opt/az/bin/python3'
##[debug]Extensions directory '/opt/az/azcliextensions'
##[debug]
##[debug]Python (Linux) 3.6.10 (default, Aug 11 2021, 02:41:08)
##[debug][GCC 9.3.0]
##[debug]
##[debug]Legal docs and information: aka.ms/AzureCliLegal
##[debug]
##[debug]
##[debug]Your CLI is up-to-date.
##[debug]
::add-mask::***
##[debug]Cannot find key: $.resourceManagerEndpointUrl
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.
##[debug]Node Action run completed with exit code 0
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZUREPS_HOST_ENVIRONMENT='GITHUBACTIONS/AzureLogin@v1_Cloud-3-0/vault-azure-auth'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Run azure/login@v1
0s
##[debug]Evaluating condition for step: 'Run az account show'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run az account show
##[debug]Loading inputs
##[debug]Loading env
Run az account show
##[debug]/usr/bin/bash -e /home/runner/work/_temp/fb09b562-9d1d-443f-b223-d5dfac58ec9a.sh
{
"environmentName": "AzureCloud",
"homeTenantId": "***",
"id": "***",
"isDefault": true,
"managedByTenants": [],
"name": "my-azure-subscription",
"state": "Enabled",
"tenantId": "***",
"user": {
"name": "***",
"type": "servicePrincipal"
}
}
##[debug]Finishing: Run az account show
26s
##[debug]Evaluating condition for step: 'Azure CLI script file'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Azure CLI script file
##[debug]Loading inputs
##[debug]Loading env
Run azure/CLI@v1
Starting script execution via docker image mcr.microsoft.com/azure-cli:2.0.72
::add-mask::***
::set-output name=JWT::***
##[debug]steps.azure_auth.outputs.JWT='***'
az script ran successfully.
cleaning up container...
MICROSOFT_AZURE_CLI_1629437136645_CONTAINER
##[debug]Node Action run completed with exit code 0
##[debug]Finishing: Azure CLI script file
0s
##[debug]Evaluating condition for step: 'Import Secrets'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Import Secrets
##[debug]Loading inputs
##[debug]Evaluating: steps.azure_auth.outputs.JWT
##[debug]Evaluating Index:
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating steps:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'azure_auth'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'outputs'
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'JWT'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run hashicorp/[email protected]
with:
url: https://myvault.com
method: jwt
role: myrole
jwtPrivateKey: ***
secrets: secret/mypath/mysecret mykey
exportToken: true
kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
tlsSkipVerify: false
jwtTtl: 3600
env:
AZURE_HTTP_USER_AGENT:
AZUREPS_HOST_ENVIRONMENT:
::group::Get Vault Secrets
Get Vault Secrets
::endgroup::
Error: not supported argument
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Import Secrets
0s
##[debug]Starting: Complete job
Cleaning up orphan processes
##[debug]Finishing: Complete job
Additional context
If there are other suggested ways of achieving the same results, I am open. My end goal will actually be to pass the vault token to TFE, but I am testing secrets retrieval while I'm at it (and see another open enhancement request for being able to get token only w/o secrets retrieval).
The text was updated successfully, but these errors were encountered:
We have the same issue with Azure Service Principal and JWT token authentication.
My workaround is to use plain vault cli to login and get the token/secrets.
Describe the bug
I'm using a JWT generated from Azure AD (via Service Principal) to authenticate to Vault. When using vault-action 2.3.0 on a self-hosted Ubuntu runner on Kubernetes (I believe AKS), I receive the following message: "Error: not supported argument." This appears to be caused by kubernetesTokenPath automatically being injected as a parameter, even though it's not in the code.
Log snippet:
To Reproduce
Expected behavior
Kubernetes token should not be included when attempting to use JWT authentication method.
Log Output
Additional context
If there are other suggested ways of achieving the same results, I am open. My end goal will actually be to pass the vault token to TFE, but I am testing secrets retrieval while I'm at it (and see another open enhancement request for being able to get token only w/o secrets retrieval).
The text was updated successfully, but these errors were encountered: