Trouble injecting env variables via vault agent

mfractal · November 29, 2022, 3:46pm

Hi all, i’m trying to inject a few env variables pulled from the vault.

I can successfully create a unformatted file with the values i need via
vault.hashicorp.com/agent-inject-secret-temporal: ‘kv/secrets/temporal’

I can start a pod and do cat /vault/secrets/temporal i can see the k,v correctly

data: map[aws.key:XXXX aws.secret:YYY …]

but when i am trying to format it so :

vault.hashicorp.com/agent-inject-template-temporal: |
{{ with secret “kv/secrets/temporal” -}}
export AWS_ACCESS_KEY_ID=“{{ .Data.data.aws.key }}”
export AWS_SECRET_ACCESS_KEY=“{{ .Data.data.aws.secret }}”
{{- end }}

the pod doesn’t start and i get the following error :
│ 2022-11-29T15:45:06.985Z [ERROR] template.server: template server error: error=“(dynamic): execute: template: :2:40: executing "" at <.Data.data.aws.key>: nil pointer evaluating interface {}.key”

Please help

maxb · November 29, 2022, 8:54pm

The . character is special in Go template syntax.

As a result, you’re trying to access data that looks like:

{
  "data": {
    "aws": {
      "key": "...",
      "secret": "..."
    }
  }
}

I’d suggest you avoid using . characters in your secrets.

If you can’t, you’re going to have to use some odder syntax as a workaround:

{{ with secret “kv/secrets/temporal” -}}
export AWS_ACCESS_KEY_ID=“{{ index .Data.data "aws.key" }}”
export AWS_SECRET_ACCESS_KEY=“{{ index .Data.data "aws.secret" }}”
{{- end }}

mfractal · November 30, 2022, 9:24pm

amazing ! thanks so much!