Sending Arbitrary Headers in CLI #8754
Comments
|
+1 |
|
+1 here. Use case: Vault protected with Google Identity-Aware Proxy |
|
Additional use case: our instance of Vault is running in GCP CloudRun. We have set restricted access policies that only allow the right services/developers to access Vault, however this requires manually setting the bearer token. We've tried utilizing the Non-working example:function vault-curl() {
curl_command="$(vault ${@} -output-curl-string)"
curl_command="${curl_command#curl }"
curl -v --fail -H "Authorization: Bearer $(gcloud auth print-identity-token)" $(echo -n "${curl_command}")
}
vault-curl operator generate-root -initBeing able to directly set arbitrary headers would prevent bash-war-crimes like the snippet above from being committed. |
hashicorp#10824 rebased with naming changed to that of hashicorp#5006 Fixes hashicorp#4982 and meets one use case mentioned in hashicorp#8754
|
+1, we wanted to copy secrets in vault which is behind CloudFlare and it is not convenient at the moment to use the HTTP API for human operators. Having this option through the Vault CLI will be helpful 👍 |
|
+1 |
and others
Is your feature request related to a problem? Please describe.
When trying to access Vault through Cloudflare Access (or anything else which behaves like a reverse proxy) it is possible, via the HTTP API, to include required headers so that the requests to Vault can pass through the proxy. Without the headers, the proxy denies the request which never makes it to Vault. Currently, setting headers for CLI commands does not appear possible - so it becomes impossible to use the CLI when Vault sits behind a reverse proxy which checks headers.
Describe the solution you'd like
Since the Vault CLI just uses the Vault HTTP API, it would be nice if it was possible to similarly specify the same request headers in the CLI. I imagine this could be accomplished with multiple
-header headername:headervalueflags, potentially in addition to an env variableVAULT_HEADERS=header1:value1 header2:value2where the header string is split by spaces, and in name:value pairs separated by colons.Describe alternatives you've considered
Again, this is possible when using the HTTP API, so this is always an option. But given that the CLI is discoverable and less verbose to work with, it is the preferred way of interacting with Vault for human operators.
Additional context
I've created a PR for the terraform Vault provider which allows the Terraform Vault provider to allow arbitrary headers to be passed to it. hashicorp/terraform-provider-vault#730. This request would accomplish something similar for the CLI.
The text was updated successfully, but these errors were encountered: