How to use raw data from vault

I’m trying to add the vault PKI CA cert to ca-certificates.crt on my hosts so they trust the vault generated certs.

I’m using this template:

{{ with secret "pki/ca/pem" }}
{{ . }}
{{ end }}

However I get this error: 2020/02/27 20:08:54.607664 [WARN] (view) invalid character '-' in numeric literal (retry attempt 1 after "250ms")

I’m guessing that it’s expecting the normal vault data structure back from the API call, however that endoint returns a raw PEM file so the JSON decode is failing.

Is there a way to get consul-template to not try to decode raw data?

It’s a little annoying that vault is inconsistent like this.



Why don’t you use vault agent template instead?

Or maybe I understood something wrong from your consul-template comment… :thinking:

Reading that page and looking at the examples it appears as though I’ll have the same issue. It’s expecting the fetched data to be a JSON document and in the case of pki/ca/pem it doesn’t return JSON.

Probably a bit late to the party, but I’m writing this in case somebody else would stumble across this:

pki/ca/pem is indeed the raw response (which you, in a template, don’t want)
What you do want is:
pki/cert/ca (or crl) which returns the data you are looking for (and doesn’t throw this error)

In your template you’d see something like {{ Data.certificate }}