Issue with vault-ruby gem and AppRole configuration

We are using Vault with the Consul backend in a HA configuration (3x Vault and 3x Consul).
All our Vault policies and auth endpoints are managed by custom Puppet types and providers leveraging the vault-ruby gem to write the config. A Puppet manifest configuring an AppRole might look like this:

vault_approle { 'my_approle':
ensure          => 'present',
vault_address   => https://active.vault.service.consul:8200,
role_id         => 'my_approle',
options         => {
  'policies'              => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs'     => ['10.XX.XX.XX/32'],
  'token_max_ttl'         => 300,
  'token_num_uses'        => 10,
  'token_ttl'             => 300,
},
require         => [
  Vault_auth['approle'],
  Vault_policy['my_approle_read'],
]
}

The issue we are seeing is that all AppRoles are created and work as expected but are reconfigured on each Puppet run, this is due to the subnet mask being stripped from the configured ‘token_bound_cidrs’ as shown in the Puppet run output below:

Notice: /Stage[main]/Profiles::Vault_configuration/Vault_approle[my_approle]/options: options changed {
  'policies' => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs' => ['10.XX.XX.XX'],
  'token_max_ttl' => 300,
  'token_num_uses' => 50,
  'token_ttl' => 300
} to {
  'secret_id_num_uses' => 0,
  'token_num_uses' => 50,
  'token_ttl' => 300,
  'token_max_ttl' => 300,
  'policies' => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs' => ['10.XX.XX.XX/32']
} (corrective)

The Puppet provider accepts a hash of AppRole options, these are presented to the vault-ruby gem as they are written in the Puppet manifest.

I’m trying to work out why the /32 is being stripped from the ‘token_bound_cidrs’ option. One thing I have noticed is that the Vault AppRole API lists the following options:

  • secret_id_bound_cidrs
  • token_bound_cidrs

While the vault-ruby ‘approle.rb’ does not have the above options but does have the following:

  • bound_cidr_list

Hi @synaptis!

I recommend opening an issue at https://github.com/hashicorp/vault-ruby.
It looks like vault-ruby is currently missing that API option.

Cheers,
Michel