Error passing the token through VAULT_TOKEN environment variable

[ichasco-heytrade]

What happened?

I have set the VAULT_TOKEN variable in the vault-provider pod with the ControllerConfig and when it tries to create any resources, it fails with the next error:

connect failed: cannot get terraform setup: cannot unmarshal vault credentials as JSON: invalid character 'h' looking for beginning of value

debug log:

upbound-provider-vault-2a17943c61b6-7d4dbf9874-tpxt6 provider-vault 2023-09-20T10:28:45Z	DEBUG	provider-vault	Cannot connect to provider	{"controller": "managed/database.vault.upbound.io/v1alpha1, kind=secretbackendrole", "request": {"name":"vault-test"}, "uid": "77e1fbbb-72f7-4b41-8dde-e3d3eef5eda0", "version": "144799250", "external-name": "", "error": "cannot get terraform setup: cannot unmarshal vault credentials as JSON: invalid character 'h' looking for beginning of value", "errorVerbose": "invalid character 'h' looking for beginning of value\ncannot unmarshal vault credentials as JSON\ngithub.com/upbound/provider-vault/internal/clients.TerraformSetupBuilder.func1\n\tgithub.com/upbound/provider-vault/internal/clients/vault.go:127\ngithub.com/upbound/upjet/pkg/controller.(*Connector).Connect\n\tgithub.com/upbound/[email protected]/pkg/controller/external.go:111\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*NopDisconnecter).Connect\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:244\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:839\ngithub.com/crossplane/crossplane-runtime/pkg/ratelimiter.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/ratelimiter/reconciler.go:54\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226\nruntime.goexit\n\truntime/asm_amd64.s:1598\ncannot get terraform setup\ngithub.com/upbound/upjet/pkg/controller.(*Connector).Connect\n\tgithub.com/upbound/[email protected]/pkg/controller/external.go:113\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*NopDisconnecter).Connect\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:244\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:839\ngithub.com/crossplane/crossplane-runtime/pkg/ratelimiter.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/ratelimiter/reconciler.go:54\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226\nruntime.goexit\n\truntime/asm_amd64.s:1598"}

The VAULT_TOKEN has the next value:

hvs.CAESIELojpC89pbRNcYvvgHAPnymw-gw1D8kWVQ2xNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

the hvs prefix is because it is a service token
https://developer.hashicorp.com/vault/tutorials/tokens/tokens#token-prefix

I am using xpkg.upbound.io/upbound/provider-vault:v0.3.0 package

Thanks!

[haarchri]

did you tried to set the token via secret for providerConfig ?
https://github.com/upbound/provider-vault/blob/main/examples/providerconfig/secret.yaml.tmpl#L12

[ichasco-heytrade]

Yes, with this works. But I want to use the environment mode. Is it possible?
I use dynamic tokens and I need to pass them through the variables.

[zebesh]

Try put in env data like this:
{
"token_name": "crossplane-vault-creds",
"token": "yourToken"
}
Not only token

[ichasco-heytrade]

Hi @zebesh could you add an example, please?

Thanks!

[zebesh]

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: provider-vault
spec:
  deploymentTemplate:
    spec:
      selector: {}
      template:
        metadata:
          annotations:
            linkerd.io/inject: enabled
            vault.hashicorp.com/agent-init-first: 'true'
            vault.hashicorp.com/agent-inject: 'true'
            vault.hashicorp.com/agent-inject-token: 'true'
            vault.hashicorp.com/agent-limits-cpu: '0.05'
            vault.hashicorp.com/agent-pre-populate: 'false'
            vault.hashicorp.com/agent-pre-populate-only: 'false'
            vault.hashicorp.com/agent-requests-cpu: '0.01'
            vault.hashicorp.com/agent-run-as-user: '2000'
            vault.hashicorp.com/log-format: json
            vault.hashicorp.com/role: "crossplane"
            vault.hashicorp.com/agent-inject-secret-vault-token: "auth/token/lookup-self"
            vault.hashicorp.com/agent-inject-template-vault-token: |
              {{- with secret "auth/token/lookup-self" -}}
                {
                  "token_name": "crossplane-vault-creds",
                  "token": "{{ .Data.id }}"
                }
              {{- end }}         
  serviceAccountTemplate:
    metadata:
      name: crossplane-vault