remote.vault adds "data" to the url at the wrong position

[PatMis16]

What's wrong?

When using remote.vault in the alloy configuration, w have the issue, that "data" is added to toe URL twice:

solution/grafana-it/kv/alloy/it10

becomes to

solution/data/grafana-it/kv/alloy/it10

However, it should be

solution/grafana-it/kv/data/alloy/it10

Because the url is wrong, we get

Error: it10:11:5: Failed to build component: building component: failed to get token: error encountered while reading secret at solution/data/grafana-it/kv/alloy/it10: Error making API request.

URL: GET https://<redacted>/v1/solution/data/grafana-it/kv/alloy/it10
Code: 403. Errors:

* 1 error occurred:
        * permission denied



Error: it10:24:57: field "oracle_padasa_int" does not exist

Steps to reproduce

We use the following configuration:

remote.vault "oracle_secret" {
        server = "https://<redacted>"
        path = "solution/grafana-it/kv/alloy/it10"

        auth.approle {
            role_id = "<redacted>"
            secret = "<redacted>"
            mount_path = "approle"
        } 
    }

System information

Ubuntu 22.04.4 LTS running on WSL2

Software version

Grafana Alloy version v1.3.1 (branch: HEAD, revision: e4979b2)

Configuration

remote.vault "oracle_secret" {
        server = "https://<redacted>"
        path = "solution/grafana-it/kv/alloy/it10"

        auth.approle {
            role_id = "<redacted>"
            secret = "<redacted>"
            mount_path = "approle"
        } 
    }

Logs

Error: it10:11:5: Failed to build component: building component: failed to get token: error encountered while reading secret at solution/data/grafana-it/kv/alloy/it10: Error making API request.

URL: GET https://<redacted>/v1/solution/data/grafana-it/kv/alloy/it10
Code: 403. Errors:

* 1 error occurred:
        * permission denied



Error: it10:24:57: field "oracle_padasa_int" does not exist

[fnerdwq]

having exactly the same error here -> it might be better to split the parameters into path and secret explicitly

This split is the problem
https://github.com/grafana/alloy/blob/v1.3.1/internal/component/remote/vault/client.go#L23

[PatMis16]

@fnerdwq
So in the file internal/component/remote/vault/vault.go a variable for the secret would have to be added:

// Arguments configures remote.vault.
type Arguments struct {
	Server    string `alloy:"server,attr"`
	Namespace string `alloy:"namespace,attr,optional"`

	Path string `alloy:"path,attr"`
	Secret string `alloy:"secret,attr"`

	RereadFrequency time.Duration `alloy:"reread_frequency,attr,optional"`

	ClientOptions ClientOptions `alloy:"client_options,block,optional"`

	// The user *must* provide exactly one Auth blocks. This must be a slice
	// because the enum flag requires a slice and being tagged as optional.
	//
	// TODO(rfratto): allow the enum flag to be used with a non-slice type.

	Auth []AuthArguments `alloy:"auth,enum,optional"`
}

Then in the file internal/component/remote/client.go we have to read both vars:

func (ks *kvStore) Read(ctx context.Context, args *Arguments) (*vault.Secret, error) {
	kv := ks.c.KVv2(args.Path)
	kvSecret, err := kv.Get(ctx, args.Secret)
	if err != nil {
		return nil, err
	}

	// kvSecret.Data contains unwrapped data. Let's assign that to the raw secret
	// and return it. This is a bit of a hack, but should work just fine.
	kvSecret.Raw.Data = kvSecret.Data
	return kvSecret.Raw, nil
}

What do you think?

[PatMis16]

I built it locally and it seems to work. Can simply fork an create a PR for that?

[fnerdwq]

@PatMis16 yes thanks, this look perfectly right. Just wondering about the naming. Probably instead of secrets (I know, I suggested it myself...) the parameter key would be better? See https://developer.hashicorp.com/vault/docs/commands/kv/get

A "secret" is read under a "path" with given "key". What do you think?

[PatMis16]

@fnerdwq You might be right. I change that accordingly.