You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Support for vault namespaces was not considered in the original design and then added later. It was added by cat'ing together VAULT_ADDR + VAULT_NAMESPACE and using the combined value as the primary key when storing in the OS's credential store.
The problem is that you cannot combine these two values to form a valid URL. This resulted in errors when running vault-token-helper list --extended (workaround/fix in #23).
The workaround implemented may not be correct for all possible VAULT_ADDR values. It works by parsing the combined URL and assuming any Path value is the VAULT_NAMESPACE. This is likely to work for the majority of cases but would fail if the VAULT_ADDR contained a legit /path.
I'm not sure if it is even valid for VAULT_ADDR to contain a path. If not, then this is moot.
A more robust solution would involve storing VAULT_ADDR and VAULT_NAMESPACE separately in the credential store. This may cause some issues with some OS's credential stores. During initial development I ran into some strange issues with (IIRC) the gnome keyring where it would duplicate rather than update existing entries depending on the format of the entry's title.
First, determine if VAULT_ADDR containing a path element is valid. If not, then this is likely moot and we can close this.
Update to store VAULT_ADDR and VAULT_NAMESPACE
Ensure backwards compatibility:
When encountering a keychain item of the previous format, upgrade to the new format
The text was updated successfully, but these errors were encountered:
Followup from #21, #23
Support for vault namespaces was not considered in the original design and then added later. It was added by cat'ing together
VAULT_ADDR + VAULT_NAMESPACEand using the combined value as the primary key when storing in the OS's credential store.The problem is that you cannot combine these two values to form a valid URL. This resulted in errors when running
vault-token-helper list --extended(workaround/fix in #23).The workaround implemented may not be correct for all possible
VAULT_ADDRvalues. It works by parsing the combined URL and assuming anyPathvalue is theVAULT_NAMESPACE. This is likely to work for the majority of cases but would fail if theVAULT_ADDRcontained a legit/path.I'm not sure if it is even valid for
VAULT_ADDRto contain a path. If not, then this is moot.A more robust solution would involve storing
VAULT_ADDRandVAULT_NAMESPACEseparately in the credential store. This may cause some issues with some OS's credential stores. During initial development I ran into some strange issues with (IIRC) the gnome keyring where it would duplicate rather than update existing entries depending on the format of the entry's title.VAULT_ADDRcontaining a path element is valid. If not, then this is likely moot and we can close this.VAULT_ADDRandVAULT_NAMESPACEThe text was updated successfully, but these errors were encountered: