"vault-cli get" doesn't return YAML formatted value when secret isn't a string

[pilou-]

vault-cli get doesn't return YAML formatted value when secret isn't a string.

When secret value isn't a string, output of vault get secret should be the same as output of vault get --yaml secret.

Reproducer1 (tested with Python 3.6.8)

$ cat test.json 
{
  "foo": "bar",
  "train": [1,2,3,4],
  "GNU": {
    "Linux": {
      "Debian": "Buster"
    }
  }
}
$ cat test.json | vault set --stdin secret
Done
$ vault get secret
{
  "foo": "bar",
  "train": [1,2,3,4],
  "GNU": {
    "Linux": {
      "Debian": "Buster"
    }
  }
}
$ vault get --text secret
{
  "foo": "bar",
  "train": [1,2,3,4],
  "GNU": {
    "Linux": {
      "Debian": "Buster"
    }
  }
}
$ vault get --yaml secret
--- "{\n  \"foo\": \"bar\",\n  \"train\": [1,2,3,4],\n  \"GNU\": {\n    \"Linux\"\
  : {\n      \"Debian\": \"Buster\"\n    }\n  }\n}"

Reproducer2 (tested with Python 3.6.8)

$ cat test.json 
{
  "value": {
    "foo": "bar",
    "train": [1,2,3,4],
    "GNU": {
      "Linux": {
        "Debian": "Buster"
      }
    }
  }
}
$ cat test.json | vault kv put secret/testproject/secret value=- # "official" vault binary used here
$ vault kv get -format=yaml secret/testproject/secret # official vault binary used here
data:
  value: |
    {
      "value": {
        "foo": "bar",
        "train": [1,2,3,4],
        "GNU": {
          "Linux": {
            "Debian": "Buster"
          }
        }
      }
    }
$ vault get secret #  vault-cli binary used here
{
  "value": {
    "foo": "bar",
    "train": [1,2,3,4],
    "GNU": {
      "Linux": {
        "Debian": "Buster"
      }
    }
  }
}
$ vault get --text secret # vault-cli binary used here
{
  "value": {
    "foo": "bar",
    "train": [1,2,3,4],
    "GNU": {
      "Linux": {
        "Debian": "Buster"
      }
    }
  }
}
$ vault get --yaml secret  # vault-cli binary used here
--- "{\n  \"value\": {\n    \"foo\": \"bar\",\n    \"train\": [1,2,3,4],\n    \"GNU\"\
  : {\n      \"Linux\": {\n        \"Debian\": \"Buster\"\n      }\n    }\n  }\n}\n"

It looks like force_yaml is always false (secret is always a string).

[mgu]

it works fine with vault set --yaml --stdin secret.
Are you sure there is a bug ?

[pilou-]

it works fine with vault set --yaml --stdin secret.

What about Reproducer1 scenario ? Could you share a working example ?

[mgu]

(vault-cli) kael@consoude ~/dev/vault-cli (git:master)% cat test.json                                                                                                                                           [0]
{
  "foo": "bar",
  "train": [1,2,3,4],
  "GNU": {
    "Linux": {
      "Debian": "Buster"
    }
  }
}
(vault-cli) kael@consoude ~/dev/vault-cli (git:master)% vault set --stdin --yaml secret < test.json                                                                                                             [0]
Done
(vault-cli) kael@consoude ~/dev/vault-cli (git:master)% vault get secret                                                                                                                                        [0]
---
GNU:
  Linux:
    Debian: Buster
foo: bar
train:
- 1
- 2
- 3
- 4
(vault-cli) kael@consoude ~/dev/vault-cli (git:master)% vault get --text secret                                                                                                                                 [0]
---
GNU:
  Linux:
    Debian: Buster
foo: bar
train:
- 1
- 2
- 3
- 4
(vault-cli) kael@consoude ~/dev/vault-cli (git:master)% vault get --yaml secret                                                                                                                                 [0]
---
GNU:
  Linux:
    Debian: Buster
foo: bar
train:
- 1
- 2
- 3
- 4

[ewjoachim]

yep, without --yaml in set, input is always assumed to be a string. Maybe we should make it clearer in the docs ?

[ewjoachim]

I'll close this for now, please feel free to re-open if there's still a problem.

[pilou-]

What about the 2nd example ?

[ewjoachim]

Oh, maybe I didn't understand your point then.

[ewjoachim]

It looks like the official vault binary always writes as a string, and will try to read as complex object only when writing.

The ticket says:

"vault-cli get" doesn't return YAML formatted value when secret isn't a string

I think we're not in this case. The secret is a string, because with the official vault command, it seems to always be a string.

Given that the vault api supports arbitrary json types when reading and writing, the fact the official vault command decides to limit itself to storing string seems weird, and I'm yet to be convinced we're not doing the right thing.

What would you have us do ? Should the secrets [] (a real list) and "[]" (a string list) be treated the same when read with vault get --yaml? This would mean that if it's a string, we try to yaml.safe_load on the fly, and if that doesn't crash, then we yaml-dump the result ?