Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault in dev mode clobbers the .vault-token file #1861

Closed
ekristen opened this issue Sep 6, 2016 · 5 comments · Fixed by #7104
Closed

Vault in dev mode clobbers the .vault-token file #1861

ekristen opened this issue Sep 6, 2016 · 5 comments · Fixed by #7104

Comments

@ekristen
Copy link
Contributor

ekristen commented Sep 6, 2016

I noticed something today while working with a local vault dev instance for testing, it seems that even though I am running the following command:

VAULT_ADDR=http://localhost:8200 VAULT_TOKEN="UUID" vault write secret/test value="testing"

The CLI then writes the token to the ~/.vault-token file overwriting my primary token that I use for my production vault setup.

It seems to me that if the ENV var is present ~/.vault-token should not be read from or written to.

What do you think @jefferai
@jefferai
Copy link
Member

jefferai commented Sep 8, 2016

Non-reproducible for me (and as a side note, I use this workflow all the time and have never seen this):

$ cat .vault-token
root

$ vault token-create 
Key             Value
---             -----
token           a26a9e5e-2acf-3ddb-9f32-9b0590d25186
token_accessor  d22f1523-3eea-d75d-2b4e-7acfa44fdc54
token_duration  0s
token_renewable false
token_policies  [root]

$ VAULT_TOKEN=a26a9e5e-2acf-3ddb-9f32-9b0590d25186 vault write secret/test value="testing"
Success! Data written to: secret/test

$ cat .vault-token
root

@ekristen
Copy link
Contributor Author

ekristen commented Sep 8, 2016

My mistake @jefferai, you are right, it happens slightly different, I didn't notice until now because I didn't think it cat the .vault-token after every step before.

It seems that the .vault-token file is overwritten automatically regardless if the file exists or not when you run vault server -dev.

Personally, I find this behavior undesirable, but looking at the docs, I suppose the "Automatically Authenticated" covers this behavior although it doesn't clearly state that is what it is doing.

@ekristen ekristen changed the title Vault CLI clobbers .vault-token even when VAULT_TOKEN env var is present Vault in dev mode clobbers the .vault-token file Sep 9, 2016
@vishalnayak
Copy link
Contributor

Not reproducible and vault server -dev caching the token at ~/.vault-token is an expected behavior. Closing the issue. Reopen if needed.

@stevenschlansker
Copy link

I just ran into this problem as well -- every time I run my unit tests, I am logged out of Vault CLI.
I can understand why this is a nice first user experience, for vault server -dev to write ~/.vault-token, but if you use -dev for any other purpose (say, unit or integration tests) it quickly ruins your development workflow.

Perhaps there could be additionally a -no-store-token option for unit test runners?

@jefferai
Copy link
Member

jefferai commented May 8, 2018

PRs welcome. I'd match the flags from vault login.

@jsok jsok mentioned this issue Jul 11, 2019
Merged
jsok added a commit to jsok/vault that referenced this issue Jul 11, 2019
@jsok
Add -dev-no-store-token to vault server command
6b97b7b 
When starting a vault dev server the token helper is invoked to store
the dev root token.
This option gives the user the ability to not store the token.

Storing the token can be undesirable in certain circumstances
(e.g.  running local tests) as the user's existing vault token is
clobbered without warning.

Fixes hashicorp#1861
jefferai pushed a commit that referenced this issue Jul 24, 2019
@jsok @jefferai
Add -dev-no-store-token to vault server command (#7104)
fb8ce19 
When starting a vault dev server the token helper is invoked to store
the dev root token.
This option gives the user the ability to not store the token.

Storing the token can be undesirable in certain circumstances
(e.g.  running local tests) as the user's existing vault token is
clobbered without warning.

Fixes #1861
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add -dev-no-store-token to vault server command jsok/vault
4 participants
@jefferai @ekristen @stevenschlansker @vishalnayak