Secret from Vault is truncated at #

[david goodine]

We have a nomad cluster integrated with Hashi Vault.  A job has been configured to get secret values for docker environment variables from Vault.  This works, except in this one case where the secret value contains "#".  In this case, when the deployed docker container is inspected, the value of the envar is missing the "#" and everything after it.

Is there a way to update the vault template stanza to allow this secret value to be properly assigned to a docker container environment variable?

template snippet:

[%with secret "di-secrets/data/application/exports_ds9"%]
SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWORD%]
SQLSERVER_USER=[%.Data.data.SQLSERVER_USER%]
[%end%]

The SQLSERVER_PASSWORD secret has the "#" in it.

--Dave

[Michael Schurter]

Hi David,

If you're using the template stanza's env = true setting to set environment variables from Consul keys, you'll need to quote the variables in your template. By default Nomad treats #s in environment templates as the beginning of a comment. Quoting the variable prevents that behavior. For example:

     template {

       data = <<EOF

FOO="{{ key "foo" }}"

BROKEN={{ key "foo" }}

EOF

       destination = "local/conf.env"

       env = true

     }

If the Consul key foo = "abc#123", then you would have the following environment variables in your task:

FOO=abc#123

BROKEN=abc

Since BROKEN lacks quotes it treats the #123 as a comment and drops it.

I hope this helps! Full example job file here: https://gist.github.com/schmichael/2b17350963d1b1be4ad95bf83eb241ce

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/9c89dc35-9758-481f-8cea-2c3f1cc18a6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[david goodine]

Michael,

Thank you for your reply - that works perfectly!  I am updating our internal documentation so developers will always double quote the value returned from Vault. eg:

      SQLSERVER_PASSWORD="[%.Data.data.SQLSERVER_PASSWORD%]"

      SQLSERVER_USER="[%.Data.data.SQLSERVER_USER%]"

-- Dave

[Michael Schurter]

I realized my suggestion unfortunately fails if passwords can contain quotes (") or backslashes (\) which would cause escape semantics. You can see the full format here: https://github.com/hashicorp/go-envparse#format

Single quotes (') don't support escape sequences, so if your passwords don't contain single quotes use them:

SQLSERVER_PASSWORD='[%.Data.data.SQLSERVER_PASSWORD%]'

However if your passwords may contain any character you may have to resort to JSON encoding/decoding them:

SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWORD% | toJSON]

That requires JSON decoding in your application to convert escaped characters (\", \', etc) back into their literal forms (", ', etc).

This is obviously an unfortunate amount of complexity. I think a better approach for Nomad's parser would be to split on the first "=" and read the rest of the line in as a literal. Please feel open a Github issue if you'd like to see this improved in the future!

To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/8116832c-7e30-40eb-a8ec-a966862dec72%40googlegroups.com.

[david goodine]

Michael,

Thank you for your suggestions, they're very helpful.  I will use single quotes, and open a github issue to update the parser to make the use of arbitrary characters in secrets easier.

--Dave

[david goodine]

Here is the enhancement request: https://github.com/hashicorp/nomad/issues/5347