database secrets engine create_role broken

[drewmullen]

print(client.secrets.database.create_role(name='tester', db_name='test', creation_statements=[]))

error: Exception: empty database name attribute

vault list database/config
Keys
----
test

Exception has occurred: SystemExit
1
  File "/Users/dmullen/venv/lib/python3.7/site-packages/ansible/module_utils/basic.py", line 2370, in fail_json
    sys.exit(1)
  File "/Users/dmullen/venv/lib/python3.7/site-packages/ansible/modules/hashivault/hashivault_db_secret_engine_role.py", line 117, in main
    module.fail_json(**result)
  File "/Users/dmullen/venv/lib/python3.7/site-packages/ansible/modules/hashivault/hashivault_db_secret_engine_role.py", line 192, in <module>
    main()
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 263, in run_path
    pkg_name=pkg_name, script_name=fname)

[drewmullen]

curl -X POST -H 'X-Vault-Token: <redacted>' --data @db-role-payload.json -k $VAULT_ADDR/v1/database/roles/tester

$ cat db-role-payload.json
{
      "creation_statements": [],
      "revocation_statements": [],
      "rollback_statements": "",
      "db_name": "test"
}

vault read database/roles/tester
Key . Value
----   -----
creation_statements ...
...

[drewmullen]

seems like something is up with the module... investigating

@Dudesons any ideas?

[drewmullen]

so it appears as though requests lib sends args at the end of the url, not sure if thats normal or not tbh (see below). @jeffwecan any idea if thats normal?

by the time it gets to requests lib heres some of the

prep: '/v1/database/roles/tester?db_name=test&default_ttl=0&max_ttl=0'
send_kwargs: {'allow_redirects': True, 'cert': None, 'proxies': OrderedDict([]), 'stream': False, 'timeout': 30, 'verify': False}

and the resp from vault is:
rc 400
b'{"errors":["empty database name attribute"]}\n'

[drewmullen]

curl -v -i -X POST -H 'X-Vault-Token: <redacted>' -k 'https://vault.example.com:8200/v1/database/roles/tester2?db_name=test&default_ttl=0&max_ttl=0'

error: {"errors":["empty database name attribute"]}

😮

@Dudesons did this ever work for you?

[drewmullen]

hmm, this is working:

payload = {"db_name":"test","max_ttl":0,"default_ttl":0, "creation_statement":[]}
r = requests.post("https://vault.example.com:8200/v1/database/roles/tester3", headers=headers, json=payload, verify=False)
print(r)
<Response [204]>

[drewmullen]

i think maybe this should be json. testing now

hvac/hvac/api/secrets_engines/database.py

Line 156 in e8ae13a

params=params

[drewmullen]

yeah thats it.

also, several functions attempt to return a json object but shouldnt. i tested as many as i can. referencing the hashi docs where i cannot test (rotate_root_credentials)

[Dudesons]

Hi @drewmullen, yes sorry I begin on some get request and forgot to update request to json params.
Do you want to do the pull request or I can fix that and add documentation (#453)

[drewmullen]

@Dudesons all fixed :) #457

im probably not going to do the docs tbh. have a few things piling up RN