You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New attribute alias_name_source was added to the "Create Role" request by following change in Vault 1.9.0
auth/kubernetes: Add ability to configure entity alias names based on the serviceaccount's namespace and name. #110#112 [GH-12633]
Problem Description
Assume we had Role configured prior Vault 1.9.0. Obviously the existing Roles do not have this new attribute stored in the configuration. When sending "Read Role" request for such Role with the missing attribute, the output will look like
Note that alias_name_source has value "" and not the default value serviceaccount_uid.
Note also that "" is not a valid choise. Valid choices are: serviceaccount_uid, serviceaccount_name.
This can cause problems when one attempts to apply a change to existing Role by copying the data from "Read Role" response, and using it as input for "Create Role" request. It contains invalid parameter "alias_name_source": "" which will fail with HTTP/1.1 400 Bad Request
{
"errors": [
"invalid alias_name_source, must be one of: serviceaccount_uid, serviceaccount_name"
]
}
Expected behavior
One of the following alternatives:
Return "alias_name_source": "serviceaccount_uid".
Do not return alias_name_source attiribute in "Read Role" response.
Maybe (1) is better, since that is aligned how Role would get stored now if creating Role from scratch on Vault 1.9+, without specifying the attribute in Create Role.
The text was updated successfully, but these errors were encountered:
Hi @tsaarni , sorry to hear that you ran into this issue. A quick work around would be to omit data.alias_name_source from your input. The subsequent read will have data.alias_name_source set to the default.
New attribute
alias_name_source
was added to the "Create Role" request by following change in Vault 1.9.0Problem Description
Assume we had Role configured prior Vault 1.9.0. Obviously the existing Roles do not have this new attribute stored in the configuration. When sending "Read Role" request for such Role with the missing attribute, the output will look like
Note that
alias_name_source
has value""
and not the default valueserviceaccount_uid
.Note also that
""
is not a valid choise. Valid choices are:serviceaccount_uid
,serviceaccount_name
.This can cause problems when one attempts to apply a change to existing Role by copying the
data
from "Read Role" response, and using it as input for "Create Role" request. It contains invalid parameter"alias_name_source": ""
which will fail withHTTP/1.1 400 Bad Request
Expected behavior
One of the following alternatives:
"alias_name_source": "serviceaccount_uid"
.alias_name_source
attiribute in "Read Role" response.Maybe (1) is better, since that is aligned how Role would get stored now if creating Role from scratch on Vault 1.9+, without specifying the attribute in Create Role.
The text was updated successfully, but these errors were encountered: