Vault agent on windows server error setting CSR data

We have Windows Server 2019 running vault agent on AWS.
The agent config file uses a ‘template’ like this

{{ with secret "pki_blah/sign/instance" "common_name=instance.domain" "csr=@instance.domain.csr" }}
{{ .Data | toJSON }}
{{ end }}

When we run the agent manually in powershell, we get this back

[WARN] (view) vault.write(pki path)
URL: PUT https://vault_server:8200/v1/pki_blah/sign/instance
Code: 400. Errors:
csr contains no data

We have tried changing the csr= to not use the @, use full windows path, use full path but with / instead of , and even put “csr=TheFullCsrOnOneLine”, but we get the same error every time.

Can anyone see where we’re going wrong with this please?

Nick .

We got this sorted.

In the template we had to specify the CSR with backticks, eg

{{ with secret "pki_blah/sign/instance" "common_name=instance.domain" `csr=---BEGIN etc
--- END Cert` }}
1 Like