hashicorp · averche · Nov 23, 2021 · Nov 22, 2021 · Nov 22, 2021 · Nov 22, 2021
@@ -22,13 +22,12 @@ type AppRoleAuth struct {
 var _ api.AuthMethod = (*AppRoleAuth)(nil)
 
 // SecretID is a struct that allows you to specify where your application is
-// storing the secret ID required for login to the AppRole auth method.
+// storing the secret ID required for login to the AppRole auth method. The
+// recommended secure pattern is to use response-wrapping tokens rather than
+// a plaintext value, by passing WithWrappingToken() to NewAppRoleAuth.
+// https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices
 type SecretID struct {
-	// Path on the file system where a trusted orchestrator has placed the
-	// application's secret ID. The recommended secure pattern is to use
-	// response-wrapping tokens rather than a plaintext value, by passing
-	// WithWrappingToken() to NewAppRoleAuth.
-	// https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices
+	// Path on the file system where the secret ID can be found.
 	FromFile string
 	// The name of the environment variable containing the application's
 	// secret ID.
@@ -105,31 +104,34 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre
 		"role_id": a.roleID,
 	}
 
-	if a.secretIDFile != "" {
-		secretIDValue, err := a.readSecretIDFromFile()
+	var secretIDValue string
+
+	switch {
+	case a.secretIDFile != "":
+		s, err := a.readSecretIDFromFile()
 		if err != nil {
 			return nil, fmt.Errorf("error reading secret ID: %w", err)
 		}
-
-		// if it was indicated that the value in the file was actually a wrapping
-		// token, unwrap it first
-		if a.unwrap {
-			unwrappedToken, err := client.Logical().Unwrap(secretIDValue)
-			if err != nil {
-				return nil, fmt.Errorf("unable to unwrap token: %w. If the AppRoleAuth struct was initialized with the WithWrappingToken LoginOption, then the secret ID's filepath should be a path to a response-wrapping token", err)
-			}
-			loginData["secret_id"] = unwrappedToken.Data["secret_id"]
-		} else {
-			loginData["secret_id"] = secretIDValue
+		secretIDValue = s
+	case a.secretIDEnv != "":
+		s := os.Getenv(a.secretIDEnv)
+		if s == "" {
+			return nil, fmt.Errorf("secret ID was specified with an environment variable %q with an empty value", a.secretIDEnv)
 		}
-	} else if a.secretIDEnv != "" {
-		secretIDValue := os.Getenv(a.secretIDEnv)
-		if secretIDValue == "" {
-			return nil, fmt.Errorf("secret ID was specified with an environment variable with an empty value")
+		secretIDValue = s
+	default:
+		secretIDValue = a.secretID
+	}
+
+	// if the caller indicated that the value was actually a wrapping token, unwrap it first
+	if a.unwrap {
+		unwrappedToken, err := client.Logical().Unwrap(secretIDValue)
+		if err != nil {
+			return nil, fmt.Errorf("unable to unwrap response wrapping token: %w", err)
 		}
-		loginData["secret_id"] = secretIDValue
+		loginData["secret_id"] = unwrappedToken.Data["secret_id"]
 	} else {
-		loginData["secret_id"] = a.secretID
+		loginData["secret_id"] = secretIDValue
 	}
 
 	path := fmt.Sprintf("auth/%s/login", a.mountPath)

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string
+```