Using a variable within consul-template template annotation

Vault
,
1

Hello,

I am trying to use a variable within my template when using annotations to render my secret file

I have:

        vault.hashicorp.com/agent-inject-template-parameters.yml: |
          {{- with secret "kv/default/restricted/service/empty" -}}
          {{- $globalSecret := printf "{{ with secret \"kv/devops/restricted/service-global\" }}{{ index .Data.data \"nr.license\" }}{{- end }}" }}
          db:
            database: '{{ index .Data.data "parameters.yml/db.database" }}'
            host: test.abcd.com
          NRTEST: {{ $globalSecret }}
          {{- end }}

I am able to get the database to render from vault, but for NRTEST, it renders it as exact:

NRTEST: {{ with secret "kv/devops/restricted/service-global" }}{{ index .Data.data "nr.license" }}{{- end }}

Instead, I am trying to get it to render the actual secret from kv/devops/restricted/service-global. I’ve tried different variations without success

Any advice appreciated

Thank you

2

Try replacing this line…

          {{- $globalSecret := printf "{{ with secret \"kv/devops/restricted/service-global\" }}{{ index .Data.data \"nr.license\" }}{{- end }}" }}

With this…

          {{- $globalService :=  secret "kv/devops/restricted/service-global" -}}
          {{- $globalSecret := index $globalService.Data.data "nr.license" -}}

That might get you what you want, or at least closer.

Let me know if that helps or if you have any other questions. Thanks for using consul-template!

3

Thank you for your reply. I actually modified this to make it more flexible for our use case.

I changed this to:

        vault.hashicorp.com/agent-inject-template-parameters.yml: |
          {{ $globalSecret :=  }}
          {{- with secret "kv/default/restricted/service/empty" -}}
          {{- with secrets "kv/devops/restricted/service-global" -}}
          {{- $globalSecret = .Data.data }}
          {{- end }}
          db:
            database: '{{ index .Data.data "parameters.yml/db.database" }}'
            host: test.abcd.com
          NRTEST: '{{ index $globalSecret "nr.license" }}'
          {{- end }}

I’m hoping to pull secrets from the kv/devops/restricted/service-global path only when $globalSecret is defined.

I think my problem now is defining {{ $globalSecret := }} as a list. If I were to set it as a string like "test", It errors out with

executing "" at <index $globals "nr.license">: error calling index: cannot index slice/array with type string"

I haven’t found information from consul-template documentation to initialize a variable of type list, but I did find that list function is available from sprig library. But it says list is not defined when i try to use it in my template.

I’m hoping that config is a viable solution once we figure out the variable type.

4

I got it working, the solution was rather simple

        vault.hashicorp.com/agent-inject-template-parameters.yml: |
          
          {{- with secret "kv/default/restricted/service/empty" -}}
          {{ $globalSecret :=  .Data.data }}
          {{- with secrets "kv/devops/restricted/service-global" -}}
          {{- $globalSecret = .Data.data }}
          {{- end }}
          db:
            database: '{{ index .Data.data "parameters.yml/db.database" }}'
            host: test.abcd.com
          NRTEST: '{{ index $globalSecret "nr.license" }}'
          {{- end }}
5

Great to hear! Thanks for letting me know.
Best of luck.