Issue with Bash Commands in Alpine Images Using ‘hashicorp/vault:lates

Hemanth210 · April 30, 2024, 6:25pm

Description:

Hello GitLab community,

I’m encountering an issue while trying to use Bash commands within Alpine images, specifically when using the hashicorp/vault:latest image. My script is as follows:

stages:
  - read-secrets

variables:
  VAULT_SECRETS: "kv/app/prod:appprod-password,kv/db/prod:dbprod-password"

.authenticate:
  tags:
    - docker
  image: hashicorp/vault:latest
  id_tokens:
    VAULT_AUTH_TOKEN:
      aud: $VAULT_ADDR
  script:
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=$VAULT_AUTH_ROLE jwt=$VAULT_AUTH_TOKEN)"
    - |
      IFS=',' read -ra secrets <<< "$VAULT_SECRETS"
      for secret_info in "${secrets[@]}"; do
        IFS=':' read -r secret_path secret_field <<< "$secret_info"
        echo "Fetching secret for path $secret_path and field $secret_field"
        secret_value="$(vault kv get -field="$secret_field" "$secret_path")"
        echo "Fetched secret value $secret_value"
        export "SECRET_${secret_field^^}"="$secret_value"
      done

read-secrets:
  stage: read-secrets
  extends: .authenticate

The issue arises when attempting to use the Internal Field Separator (IFS) within the hashicorp/vault:latest image. Unfortunately, it seems that IFS is not functioning as expected.

If anyone has encountered a similar problem or has suggestions for resolving this issue, I would greatly appreciate your insights.

Thank you in advance for your assistance!

dnsmichi · April 30, 2024, 6:32pm

AFAIK alpine based images do not provide support for bash as shell, and require to install bash manually.

Something along the lines of the following, untested.

  - apk update
  - apk add bash
  - bash
  - <more code>

Hemanth210 · May 21, 2024, 12:51am

Thanks @dnsmichi. I used awk instead of IFS in my script, and it worked in Alpine images. Below is the code for reference for anyone who encounters the same issue.

    - |
      for secret_info in $VAULT_SECRETS; do
        secret_path=$(echo "$secret_info" | awk -F ':' '{print $1}')
        secret_field=$(echo "$secret_info" | awk -F ':' '{print $2}')
        echo "Fetching secret for: $secret_info"
        echo "Fetching secret value for path $secret_path and field $secret_field"
        vault kv get -field="$secret_field" "$secret_path"
      done

Topic		Replies	Views
ID Token for Hashicorp Vault GitLab CI/CD	0	659	May 15, 2024
HashiCorp Vault Secret Problem GitLab CI/CD	2	3954	May 9, 2023
Secrets fetched from Vault appear empty - what am I missing? GitLab CI/CD	7	2697	January 5, 2022
Vault gitlab 17.x ce and jwt GitLab CI/CD	4	707	July 13, 2024
CI/CD doesn't want to use bash, how to fix GitLab CI/CD	6	5017	February 21, 2024

Issue with Bash Commands in Alpine Images Using ‘hashicorp/vault:lates

Related topics