SDB Vault strangeness

[darren...@gmail.com]

Hi,

I'm having a very strange problem populating pillar items from Vault.

I can retrieve a username or I can retrieve a password within pillar SLS

but I cannot retrieve them both in the same file.

I followed this guide.

https://help.saltstack.com/hc/en-us/articles/360041140451-Quick-Guide-to-Vault-Integration

I bumped into this issue and applied its workaround

https://github.com/saltstack/salt/issues/57705

Tthis is my pillar SLS file in question;

[root@tuna ~]# cat /srv/pillar/srv1_access.sls

user1:

  {% set username = salt['sdb.get']('sdb://myvault/salt/data/user1/username') %}

  username: {{ username }}

  {% set password = salt['sdb.get']('sdb://myvault/salt/data/user1/password') %}

  password: {{ password }}

remove lines 4-5 and username is returned in the pillar or remove lines 2-3 and the password is returned in the pillar but having all lines in the file results in a error.

[root@tuna ~]# cat /srv/pillar/srv1_access.sls

user:

  {% set username = salt['sdb.get']('sdb://myvault/salt/data/user1/username') %}

  username: {{ username }}

[root@tuna ~]# salt tuna.t* pillar.items 

tuna.t...:

    ----------

    user:

        ----------

        username:

            test

[root@tuna ~]# cat /srv/pillar/srv1_access.sls

user:

  {% set password = salt['sdb.get']('sdb://myvault/salt/data/user1/password') %}

  password: {{ password }}

[root@tuna ~]# salt tuna.t* pillar.items 

tuna.t...:

    ----------

    user:

        ----------

        password:

            p4ssw0rd

[root@tuna ~]# cat /srv/pillar/srv1_access.sls

user:

  {% set username = salt['sdb.get']('sdb://myvault/salt/data/user1/username') %}

  username: {{ username }}

  {% set password = salt['sdb.get']('sdb://myvault/salt/data/user1/password') %}

  password: {{ password }}

[root@tuna ~]# salt tuna.t* pillar.items 

tuna.t...:

    ----------

    _errors:

        - Rendering SLS 'srv1_access' failed. Please see master log for details.

I wonder if this could possibly be related to the bug I found and applied a workaround for.  Does anyone have any suggestion to get past this issue?

/var/log/salt/master stack traces produce errors when reporting errors so I won't post those here.

I've been at this for a while and tried many different things including different ways of putting data into Vault, different ways of retrieving data from Vault, and token auth rather than approle described in the guide. Restarting over with the guide's solution, I just noticed that /var/log/salt/master includes v1 in the error message when I try to retrieve both settings.

Vault is using kv version 2 so I wonder if fetching a single value correctly uses v2 but trying to get both somehow switches to v1 for the second value which is the one producing the error.

salt.exceptions.SaltRenderError: Problem running salt function in Jinja template: 403 Client Error: Forbidden for url: http://127.0.0.1:8200/v1/salt/data/user1; line 4

---

user:

  {% set username = salt['sdb.get']('sdb://myvault/salt/data/user1/username') %}

  username: {{ username }}

  {% set password = salt['sdb.get']('sdb://myvault/salt/data/user1/password') %}    <======================

  password: {{ password }}

---

2021-10-17 10:20:37,315 [salt.pillar      :1209][CRITICAL][11339] Pillar render error: Rendering SLS 'srv1_access' failed. Please see master log for details.

Thanks,

Darren