Terraform: vault_generic_secret fails to read secrets (unexpected EOF)

Created on 3 Jan 2017 · 9Comments · Source: hashicorp/terraform

Terraform Version

Terraform v0.8.2

Affected Resource(s)

Please list the resources as a list, for example:

vault_generic_secret

Terraform Configuration Files

provider "vault" {
  address = "http://vault_server:8200"
  skip_tls_verify = true
}

data "vault_generic_secret" "docker" {
  path = "secret/docker"
}

output "secret" {
    value = "${data.vault_generic_secret.docker.data["docker_registry_pwd"]}"
}

Debug Output

https://gist.github.com/IevgenKabanets/c16d2e5ef4520921ba05e5a79ee11079

Panic Output

https://gist.github.com/IevgenKabanets/c16d2e5ef4520921ba05e5a79ee11079

Expected Behavior

The secret should be read, as it's present in Vault and accessible with curl.

Actual Behavior

Crashed with * data.vault_generic_secret.docker: unexpected EOF

Steps to Reproduce

export VAULT_TOKEN=<root_token or any token>
terraform plan or terraform apply

Important Factoids

This works fine

curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://vault_server:8200/v1/secret/docker/docker_registry_pwd

Also, the error is gone once I read full path to entry (secret/docker/docker_registry_pwd)

data "vault_generic_secret" "docker" {
  path = "secret/docker/docker_registry_pwd"
}

which seems to be wrong, as vault_generic_secret should return a map with possible keys/values.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

raised as a separate issue, from https://github.com/hashicorp/terraform/issues/10505 and by the advice of @apparentlymart

documentation providevault

Source

IevgenKabanets

Most helpful comment

After reading this piece of code, it seems that the correct way (it works) to request the value will be

data "vault_generic_secret" "docker" {
  path = "secret/docker/docker_registry_pwd"
}

output "secret" {
    value = "${data.vault_generic_secret.docker.data["value"]}"
}

Which is not something I understood from docs here.
From it I had a feeling, that auth_token is a value at secret/rundeck_auth (reading value of secret/rundeck_auth/auth_token

Anyway, maybe someone can clarify it in the docs or for me.

IevgenKabanets on 3 Jan 2017

👍6

All 9 comments

After reading this piece of code, it seems that the correct way (it works) to request the value will be

data "vault_generic_secret" "docker" {
  path = "secret/docker/docker_registry_pwd"
}

output "secret" {
    value = "${data.vault_generic_secret.docker.data["value"]}"
}

Which is not something I understood from docs here.
From it I had a feeling, that auth_token is a value at secret/rundeck_auth (reading value of secret/rundeck_auth/auth_token

Anyway, maybe someone can clarify it in the docs or for me.

IevgenKabanets on 3 Jan 2017

👍6

Hello,
same issue here.

mperriere on 17 Jan 2017

@mperriere can you use the workaround I've put in a post above? Works fine for now.

IevgenKabanets on 17 Jan 2017

Hello,
still have the same error.

Here is the crash.log when executing "terraform plan":
https://gist.github.com/mperriere/87204952a2170bb4f38bee3bb08dbe98

terraform version: 0.8.4 (but same issue with older 0.8.* versions)

the tf file:
provider "vault" {
address = "http://10.196.14.160:8081/"
token = "e1703672-7c1d-97c2-6dee-b3dc0fc8714c"
ca_cert_file = "wildcard.zzz-2016-11-14.crt"
ca_cert_dir = ".."
skip_tls_verify = true
}
data "vault_generic_secret" "mypass" {
path = "secret/neo/rds-passwd"
}
output "my password" {
value = "${data.vault_generic_secret.mypass.data["value"]}"
}

The stored passwd is readable:
VAULT_ADDR=http://10.196.14.160:8200 vault read secret/neo/rds-passwd
Key Value
refresh_interval 768h0m0s
passwd ilovevault

Another issue is that even with "skip_tls_verify" the ca_cert_dir and ca_cert_file are mandatory (or documentation is not up to date).
Also tried with address http://10.196.14.160:8200 with no success.

mperriere on 18 Jan 2017

ok, i got it:
tf plan -input=false
Errors:

provider.vault: "ca_cert_file": conflicts with ca_cert_dir ("..")
provider.vault: "ca_cert_dir": conflicts with ca_cert_file ("wildcard.mediametrie.fr-2016-11-14.crt")

-> those 2 options are mutually exclusives, but mandatory.

new terraform file with ca* removed:

provider "vault" {
address = "http://10.196.14.160:8200"
skip_tls_verify = true
}
data "vault_generic_secret" "mypass" {
path = "secret/neo/rds-passwd"
}
output "my password" {
value = "${data.vault_generic_secret.mypass.data["Value"]}"
}

tf plan -input=false
tf apply -input=false
-> no crash and passwd found in the terraform.tfstate file.

mperriere on 18 Jan 2017

I think this was resolved in 0.8.5. Want to check?

eraserhd on 27 Jan 2017

checked with 0.8.5, it works now, thanks.

mperriere on 31 Jan 2017

Can the docs be updated before this gets closed?

plukevdh on 7 Feb 2017

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.